CVE-2025-14560
Published: 11 February 2026
Summary
CVE-2025-14560 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-14560 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 17.1 prior to 18.6.6, 18.7 prior to 18.7.4, and 18.8 prior to 18.8.4. The flaw allows an authenticated user, under certain conditions, to inject malicious content into the vulnerability code flow, enabling unauthorized actions on behalf of another user. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low privileges required but user interaction necessary.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity by injecting malicious payloads into affected code flows. Exploitation requires another user to interact with the injected content, such as clicking a link or viewing a page, which triggers the XSS and allows the attacker to perform actions as the victim user, potentially leading to account takeover, data exfiltration, or further privilege escalation within the GitLab instance.
GitLab has remediated the issue in versions 18.6.6, 18.7.4, and 18.8.4, as detailed in their patch release notes and associated issue tracker. Security practitioners should upgrade to these patched versions immediately. Additional details are available in the GitLab release announcement, the public issue tracker entry, and the originating HackerOne report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207020
Vulnerability details
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another…
more
user by injecting malicious content into vulnerability code flow.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vuln directly enables script injection (JavaScript) against a public-facing web app (GitLab) to hijack user sessions/actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs into the vulnerability code flow, directly blocking the malicious content injection that enables the XSS.
Filters and encodes outputs rendered in vulnerability-related pages, neutralizing injected scripts before they execute in another user's browser.
Enforces access-control decisions on actions performed via the vulnerability flow, limiting the impact of any successful XSS impersonation.