CVE Catalog

CVE-2026-10086

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

An issue was discovered in GitLab EE where improper sanitization of user-supplied input could allow an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session.

Risk Assessment

An attacker could hijack another user's session, steal data, or perform unauthorized actions on their behalf, posing a serious threat to data confidentiality and integrity.

Recommendation

Immediately upgrade GitLab EE to version 18.11.6, 19.0.3, or 19.1.1, depending on the release branch in use.

Original NVD description (English source)

GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS