CVE-2025-9222

HIGH

GitLab 18.2.2-18.5.4, 18.6-18.6.2, 18.7-18.7.0 - Authenticated Stored Cross-Site Scripting via GitLab Flavored Markdown

Title source: llm
STIX 2.1

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.

References (6)

Core 6

Scores

CVSS v3 8.7
EPSS 0.0038
EPSS Percentile 29.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (5)
gitlab/gitlab 18.7.0 (2 CPE variants)
gitlab/gitlab 18.2.2 - 18.5.5 (2 CPE variants)
GitLab/GitLab 18.2.2 - 18.5.5
GitLab/GitLab 18.6 - 18.6.3
GitLab/GitLab 18.7 - 18.7.1
Published Jan 09, 2026
Tracked Since Feb 18, 2026