GitLab Critical Patch: High-Severity XSS and Unauthenticated DoS Flaws Hit Self-Managed Instances

In a major move to secure its DevOps platform, GitLab has released important security versions for both Community Edition (CE) and Enterprise Edition (EE). The updates—18.11.3, 18.10.6, and 18.9.7—address a wide array of vulnerabilities, including high-severity Cross-Site Scripting (XSS) and Denial of Service (DoS) flaws that could jeopardize thousands of self-managed installations.

The most significant portion of this update focuses on several High-severity XSS vulnerabilities, many carrying a CVSS score of 8.7. These flaws reside in common features like analytics dashboards and global search, where improper input sanitization could allow attackers to execute arbitrary JavaScript in the browsers of other users.

• Analytics Dashboard Exploits (CVE-2026-7481 & CVE-2026-7377): Authenticated users with developer-role permissions could execute scripts by exploiting how charts and dashboards render data.
• Global Search Vulnerability (CVE-2026-5297): Impacting both CE and EE, this flaw allows for script execution through malicious search queries.
• Duo Agent & Markdown (CVE-2026-6073 & CVE-2026-6335): Even AI output rendering and the Banzai markdown sanitizer were found to have sanitization gaps.

Beyond scripting attacks, GitLab addressed several Denial of Service (DoS) vulnerabilities that could be used to knock self-managed instances offline.

• Unauthenticated API Attacks (CVE-2026-1659 & CVE-2025-14870): Perhaps the most concerning, these flaws allow unauthenticated users to trigger a DoS by sending specially crafted requests or JSON payloads to the CI/CD job update and Duo Workflows APIs.
• Memory Exhaustion (CVE-2026-8280): Authenticated users could crash a system by causing excessive memory consumption through a malicious CSV parser used in direct transfers.

The patch cycle also cleaned up several “Improper Authorization” and “Access Control” issues that allowed users to peek where they shouldn’t.

• Private Data Exposure (CVE-2026-4524 & CVE-2025-13874): Gaps in authorization checks could have allowed authenticated users to view confidential issue content in public projects or access issues in projects they were not authorized to enter.
• Protected Rule Bypasses (CVE-2026-3607 & CVE-2026-3073): Vulnerabilities in Helm and PyPI package protection rules allowed users with developer-role permissions to bypass safeguards and upload restricted packages.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy