CVE-2025-6186

HIGH

Gitlab < 18.1.4 - XSS

Title source: rule

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/549844

[Permissions Required] https://hackerone.com/reports/3189522

Scores

CVSS v3 8.7

EPSS 0.0005

EPSS Percentile 15.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

gitlab/gitlab < 18.1.4

Timeline

Published Aug 13, 2025

Tracked Since Feb 18, 2026