Main Vulnerability Database Vulnerabilities #VU131679

Cross-site scripting in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-12669

Published: May 18, 2026

Vulnerability identifier: #VU131679

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-12669

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a remote user to inject HTML and JavaScript into email notifications sent to other users.

The vulnerability exists due to improper input sanitization in achievement email notifications when generating notification content. A remote user can inject crafted HTML and JavaScript to inject HTML and JavaScript into email notifications sent to other users.

User interaction is required to open the email notification.

How to mitigate CVE-2025-12669

Install security update from vendor's website.

Sources

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/

Cross-site scripting in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-12669

Detailed vulnerability description

How to mitigate CVE-2025-12669

Sources

Please verify you're human