CVE-2026-2995NVD

Vulnerability Summary

GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.

Severity Level

HIGH(7.7)

Published Date

Mar 25, 2026

Last Modified

Mar 26, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.06%Probability

Root Weakness (CWE)

CWE-80: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredLow

User InteractionRequired

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/591065
https://hackerone.com/reports/3564600

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-2995NVD

Vulnerability Summary

External References