CVE-2025-12716
Published: 11 December 2025
Summary
CVE-2025-12716 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters wiki page outputs before rendering in browsers to prevent execution of malicious scripts that enable unauthorized actions on behalf of victims.
Validates inputs for wiki pages to detect and block malicious content that could lead to stored XSS exploitation.
Requires timely patching of the specific GitLab XSS flaw in wiki handling to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in GitLab wiki enables exploitation of public-facing web application (T1190), JavaScript execution in victim browser context (T1059.007), and web session cookie theft to perform actions on behalf of victim (T1539).
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another…
more
user by creating wiki pages with malicious content.
Deeper analysisAI
CVE-2025-12716 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in versions 18.4 prior to 18.4.6, 18.5 prior to 18.5.4, and 18.6 prior to 18.6.2. The flaw enables an authenticated user, under certain conditions, to create wiki pages containing malicious content that could lead to unauthorized actions performed on behalf of another user. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and cross-scope impact on confidentiality and integrity.
An attacker with authenticated access to a vulnerable GitLab instance can exploit this by crafting and uploading wiki pages with malicious payloads. If another user interacts with the content—such as viewing or editing the wiki page—the payload executes in the victim's browser context, potentially allowing the attacker to perform actions as the victim user. This could result in high-impact confidentiality breaches, like data exfiltration, and integrity violations, such as unauthorized modifications, all without affecting availability.
GitLab has remediated the issue through patch releases, including GitLab 18.6.2, as detailed in their release notes. Security practitioners should upgrade affected instances to GitLab 18.4.6, 18.5.4, or 18.6.2 or later versions. Additional details are available in the GitLab issue tracker (gitlab.com/gitlab-org/gitlab/-/issues/579548) and the originating HackerOne report (hackerone.com/reports/3405832).
Details
- CWE(s)