CVE-2021-39946
HIGHGitLab 14.3-14.3.6, 14.4-14.4.4, 14.5-14.5.2 - Cross-Site Scripting via Emoji HTML Generation
Title source: llmDescription
Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis
References (3)
Core 3
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/345657
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1398305
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39946.json
Scores
CVSS v3
8.7
EPSS
0.0019
EPSS Percentile
39.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (1)
gitlab/gitlab
14.3 - 14.3.6 (2 CPE variants)
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026