CVE-2026-0752

HIGH

GitLab CE/EE 16.2-18.7.4/18.8-18.8.4/18.9 - XSS

Title source: llm

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.

References (3)

[Release Notes] https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/

[Issue Tracking] https://gitlab.com/gitlab-org/gitlab/-/issues/585371

[Third Party Advisory] https://hackerone.com/reports/3473276

Scores

CVSS v3 8.0

EPSS 0.0008

EPSS Percentile 24.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Classification

CWE

CWE-79

Status published

Affected Products (4)

gitlab/gitlab < 18.7.5

gitlab/gitlab

Timeline

Published Feb 25, 2026

Tracked Since Feb 26, 2026