Cross-site scripting in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-13320

 

Cross-site scripting in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-13320

Published: July 8, 2026


Vulnerability identifier: #VU137124
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-13320
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GitLab, Inc
Affected software:
GitLab Enterprise Edition
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary scripts in another user's browser session.

The vulnerability exists due to improper sanitization of user-supplied input in wiki markup rendering when rendering user-supplied wiki content. A remote privileged user can inject specially crafted markup to execute arbitrary scripts in another user's browser session.

User interaction is required for the victim to view the rendered content.


How to mitigate CVE-2026-13320

Install security update from vendor's website.

Sources