CVE-2026-10086 | GitLab has remediated an issue in GitLab EE affecting all ve… | CVSS 8.7 HIGH

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.

Metadata

CVE ID: CVE-2026-10086
State: PUBLISHED
Assigner: GitLab
Reserved: 2026-05-29 12:04 UTC
Published: 2026-06-25 05:03 UTC
Last updated: 2026-06-25 05:03 UTC
Primary CWE: CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product: GitLab / GitLab
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
GitLab	GitLab	—	16.4 < 18.11.6, 19.0 < 19.0.3, 19.1 < 19.1.1

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References (3)

https://gitlab.com/gitlab-org/gitlab/-/work_items/601634
HackerOne Bug Bounty Report #3734800 https://hackerone.com/reports/3734800
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/