CVE-2026-10712
HighCVSS 8.0Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in GitLab CE/EE allows an unauthenticated attacker to execute arbitrary JavaScript in a user's browser session due to improper path validation. Affects versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.
Risk Assessment
An attacker can hijack a user's session, steal data, or perform unauthorized actions in the victim's context, posing a serious threat to data confidentiality and integrity.
Recommendation
Immediately upgrade GitLab to version 18.11.6, 19.0.3, or 19.1.1 depending on your branch. No workarounds are available; upgrading is the only solution.
Original NVD description (English source)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.

