CVE-2025-13761
Published: 09 January 2026
Summary
CVE-2025-13761 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely patching of the specific XSS flaw in GitLab versions prior to 18.6.3 and 18.7.1, directly remediating the vulnerability as recommended by GitLab.
SI-15 filters malicious JavaScript output from GitLab pages viewed in authenticated users' browsers, preventing arbitrary code execution via specially crafted webpages.
SI-10 validates untrusted inputs from unauthenticated users to block injection of XSS payloads that could execute in the context of authenticated sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing GitLab enables browser JS execution (T1059.007) after exploiting the web app (T1190) and directly supports session hijacking (T1185).
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing…
more
the legitimate user to visit a specially crafted webpage.
Deeper analysisAI
CVE-2025-13761 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 18.6 prior to 18.6.3 and from 18.7 prior to 18.7.1. The flaw enables an unauthenticated user to execute arbitrary code within the context of an authenticated user's browser by tricking the legitimate user into visiting a specially crafted webpage. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), reflecting high severity due to its potential for confidentially and integrity impacts across a changed scope.
An unauthenticated attacker can exploit this vulnerability by socially engineering an authenticated GitLab user—such as a project maintainer or developer—into interacting with a malicious webpage, for example via phishing or a shared link. Successful exploitation grants the attacker the ability to run arbitrary JavaScript in the victim's browser session, potentially leading to session hijacking, data theft from the GitLab interface, or further actions leveraging the user's permissions, such as accessing repositories or triggering workflows.
GitLab has remediated the issue through patch releases, including GitLab 18.7.1 as detailed in their January 7, 2026 release notes, with corresponding fixes for the 18.6 branch in version 18.6.3. Security practitioners should upgrade affected instances immediately, as outlined in the official GitLab security issue tracker (gitlab.com/gitlab-org/gitlab/-/issues/582237) and the originating HackerOne report (hackerone.com/reports/3441368). No workarounds are specified beyond applying the patches.
Details
- CWE(s)