GitLab EE: Unauthenticated users can execute malicious code in dashboards

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

GitLab EE: Unauthenticated users can execute malicious code in dashboards

CVE-2026-4332

Summary

GitLab has fixed a security issue in its Enterprise Edition that could have allowed users to inject malicious code into other users' browsers. This was possible in customizable analytics dashboards, and has been patched in newer versions. Make sure your GitLab EE instance is up to date, especially if you use customizable analytics dashboards, to prevent this issue.

Original title

Original description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.

nvd CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026