Zero Day MonitorZDM

← Back to list

5.4

CVE-2026-4332PATCHED

gitlab · gitlab

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.

Affected Products

Vendor	Product	Versions
gitlab	gitlab	18.2, 18.9, 18.10, 18.8.8, 18.9.4, 18.10.2

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/593853
https://hackerone.com/reports/3600345(technical-description, exploit, permissions-required)
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/

Related News (1 articles)

Tier C

VulDB44m ago

CVE-2026-4332 | GitLab Enterprise Edition up to 18.8.8/18.9.4/18.10.2 Analytics Dashboard cross site scripting

→ No new info (linked only)

CVSS 3.15.4 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

18.8.918.9.518.10.3

CWECWE-79

PublishedApr 8, 2026

Last enriched29m agov2

Trending Score29

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-5173EXP

Exposed Dangerous Method or Function in GitLab

CRITICALCVE-2026-1516EXP

Improper Control of Generation of Code ('Code Injection') in GitLab

CRITICALCVE-2025-12664EXP

Improper Validation of Specified Quantity in Input in GitLab

HIGHCVE-2026-2104EXP

Authorization Bypass Through User-Controlled Key in GitLab

HIGHCVE-2026-1752

Incorrect Authorization in GitLab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity

Apr 9, 2026

Version History

v2

Last enriched 29m ago

v2Tier C29m ago

Updated affected versions to include 18.8.8, 18.9.4, and 18.10.2, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v11h ago

Initial creation