GitLab CE/EE HTML Injection Vulnerability in Search Page Leading to Account Takeover

Vulnerability

A vulnerability allowing HTML injection has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.0 prior to 18.0.2. This issue arises under certain conditions on the new search page, where the injected HTML could be exploited to take over user accounts.

Impact

Exploitation of this vulnerability could result in unauthorized account access, allowing an attacker to assume control of the affected user’s account.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.4

exploitability

5.0

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.4

exploitability

5.0

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab CE/EE HTML Injection Vulnerability in Search Page Leading to Account Takeover

Vulnerability

Impact

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating