Cross-site scripting in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-13320
Published: July 8, 2026
GitLab Enterprise Edition
Gitlab Community Edition
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary scripts in another user's browser session.
The vulnerability exists due to improper sanitization of user-supplied input in wiki markup rendering when rendering user-supplied wiki content. A remote privileged user can inject specially crafted markup to execute arbitrary scripts in another user's browser session.
User interaction is required for the victim to view the rendered content.