CVE-2026-6335 MEDIUM

CVE-2026-6335: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-79 · XSS

Published May 14, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.

Key dates

02Disclosure timeline

May 14, 2026 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-6335

Related vulnerabilities

04Related CVE

CVE-2026-3333 MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2021-33853 CVE-2022-0780 SearchIQ < 3.9 - Unauthenticated Stored XSS CVE-2021-24875 eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting CVE-2024-37512 WordPress NEX-Forms – Ultimate Form Builder plugin <= 8.5.10 - Cross Site Scripting (XSS) vulnerability