Cyber Resilience

CVE-2025-14560

High

Published: 11 February 2026

Published
11 February 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0009 26.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14560 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-14560 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 17.1 prior to 18.6.6, 18.7 prior to 18.7.4, and 18.8 prior to 18.8.4. The flaw allows an authenticated user, under certain conditions, to inject malicious content into the vulnerability code flow, enabling unauthorized actions on behalf of another user. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low privileges required but user interaction necessary.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity by injecting malicious payloads into affected code flows. Exploitation requires another user to interact with the injected content, such as clicking a link or viewing a page, which triggers the XSS and allows the attacker to perform actions as the victim user, potentially leading to account takeover, data exfiltration, or further privilege escalation within the GitLab instance.

GitLab has remediated the issue in versions 18.6.6, 18.7.4, and 18.8.4, as detailed in their patch release notes and associated issue tracker. Security practitioners should upgrade to these patched versions immediately. Additional details are available in the GitLab release announcement, the public issue tracker entry, and the originating HackerOne report.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another…

more

user by injecting malicious content into vulnerability code flow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS vuln directly enables script injection (JavaScript) against a public-facing web app (GitLab) to hijack user sessions/actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2255Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2024-10383Same product: Gitlab Gitlab
CVE-2025-9222Same product: Gitlab Gitlab
CVE-2026-1090Same product: Gitlab Gitlab
CVE-2026-6073Same product: Gitlab Gitlab
CVE-2026-7377Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
17.1.0 — 18.6.6 · 17.1.0 — 18.6.6 · 18.7.0 — 18.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all inputs into the vulnerability code flow, directly blocking the malicious content injection that enables the XSS.

prevent

Filters and encodes outputs rendered in vulnerability-related pages, neutralizing injected scripts before they execute in another user's browser.

prevent

Enforces access-control decisions on actions performed via the vulnerability flow, limiting the impact of any successful XSS impersonation.

References