Main Vulnerability Database Vulnerabilities #VU131661

Improper Restriction of Rendered UI Layers or Frames in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-3254

Published: May 18, 2026

Vulnerability identifier: #VU131661

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-3254

CWE-ID: CWE-1021

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a remote user to load unauthorized content into another user's browser.

The vulnerability exists due to improper restriction of rendered ui layers or frames in Mermaid sandbox when rendering Mermaid content under certain conditions. A remote user can supply crafted input to load unauthorized content into another user's browser.

User interaction is required.

How to mitigate CVE-2026-3254

Install security update from vendor's website.

Sources

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

Improper Restriction of Rendered UI Layers or Frames in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-3254

Detailed vulnerability description

How to mitigate CVE-2026-3254

Sources

Please verify you're human