Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2025-4278: GitLab: Malicious Code Injection Risks Account Takeover
CVE-2025-4278
Summary
All versions of GitLab Community Edition and Enterprise Edition up to 18.0.2 are vulnerable to a code injection attack that could allow an attacker to take control of your account. This is a serious issue because it could allow someone to access and manipulate your sensitive information. Update to version 18.0.2 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| gitlab | gitlab |
>= 18.0.0, < 18.0.2 cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* |
Original title
An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.
Original description
An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.
nvd CVSS3.1
8.7
Vulnerability type
CWE-80
Basic XSS
- https://gitlab.com/gitlab-org/gitlab/-/issues/539198 Broken Link
- https://hackerone.com/reports/3085738 Permissions Required
Published: 12 Jun 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026