Cross-site scripting in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-6896

 

Cross-site scripting in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-6896

Published: July 8, 2026


Vulnerability identifier: #VU137123
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-6896
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GitLab, Inc
Affected software:
GitLab Enterprise Edition
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary scripts in another user's browser session.

The vulnerability exists due to improper sanitization of user-supplied input in the vulnerability evidence table renderer when rendering user-supplied content. A remote user can inject specially crafted input to execute arbitrary scripts in another user's browser session.

User interaction is required for the victim to view the rendered content.


How to mitigate CVE-2026-6896

Install security update from vendor's website.

Sources