Primary

Context

GitLab EE HTML Injection Vulnerability in User Accounts

Vulnerability

Patched

A vulnerability allowing HTML injection has been identified in GitLab Enterprise Edition (EE) versions 15.4 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. This issue could have enabled an authenticated user to add email addresses to targeted user accounts, stemming from inadequate sanitization of HTML content.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of user account information, specifically the addition of email addresses, which could be misused for account recovery or impersonation purposes.

Remediation

Users are advised to upgrade to GitLab EE versions 18.10.1, 18.9.3, or 18.8.7. Instructions for updating GitLab can be found on the GitLab Update page.

Added: Mar 25, 2026, 7:13 PM

Updated: Mar 25, 2026, 7:13 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

5.0

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

5.0

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab EE HTML Injection Vulnerability in User Accounts

Vulnerability

Impact

Remediation

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating