Primary

Context

GitLab HTML and JavaScript Injection Vulnerability in Email Notifications

Vulnerability

Patched

A vulnerability allowing authenticated users to inject HTML and JavaScript into email notifications was identified in GitLab CE/EE. This issue affects all versions from 15.11 prior to 18.9.7, 18.10 prior to 18.10.6, and 18.11 prior to 18.11.3. The vulnerability arose from inadequate input sanitization, which could have led to the execution of malicious scripts in the context of the email recipient.

Impact

Exploitation of this vulnerability could result in cross-site scripting (XSS) attacks, where injected scripts are executed in the context of the user's email client.

Remediation

Users can upgrade to GitLab versions 18.9.7, 18.10.6, or 18.11.3 to address this vulnerability.

Added: May 14, 2026, 6:58 AM

Updated: May 14, 2026, 6:58 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.7

exploitability

5.2

remediation

7.7

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.7

exploitability

5.2

remediation

7.7

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab HTML and JavaScript Injection Vulnerability in Email Notifications

Vulnerability

Impact

Remediation

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating