Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
GitLab: Unauthenticated User Can Inject Malicious Scripts in Mermaid UI
CVE-2026-0752
Summary
GitLab has fixed a security issue that could have allowed a hacker to inject malicious scripts into the Mermaid UI, potentially allowing them to take control of your GitLab instance. This issue affects all versions of GitLab from 16.2 to 18.9.1. To stay safe, update to the latest version of GitLab as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gitlab | gitlab | > 16.2.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 16.2.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | 18.9.0 | – |
| gitlab | gitlab | 18.9.0 | – |
Original title
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an una...
Original description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-release... Release Notes Vendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/585371 Broken Link
- https://hackerone.com/reports/3473276 Permissions Required
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026