Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
GitLab: Authenticated User Can Inject JavaScript
CVE-2026-1090
BIT-gitlab-2026-1090
Summary
An authenticated user can inject malicious JavaScript code into a GitLab project if a specific feature is enabled. This could potentially lead to unauthorized actions or data theft. To protect your instance, update to the latest version of GitLab.
What to do
- Update gitlab to version 18.9.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | gitlab | > 18.9.0 , <= 18.9.2 | 18.9.2 |
| gitlab | gitlab | > 10.6.0 , <= 18.7.6 | – |
| gitlab | gitlab | > 10.6.0 , <= 18.7.6 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.6 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.6 | – |
| gitlab | gitlab | > 18.9.0 , <= 18.9.2 | – |
| gitlab | gitlab | > 18.9.0 , <= 18.9.2 | – |
Original title
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `ma...
Original description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.
nvd CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026