CVE-2026-0595
Published: 11 February 2026
Summary
CVE-2026-0595 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0595 is an HTML injection vulnerability (CWE-79) in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 13.9 prior to 18.6.6, 18.7 prior to 18.7.4, and 18.8 prior to 18.8.4. The flaw occurs in test case titles, where under certain conditions an authenticated user could inject HTML to add unauthorized email addresses to victim accounts. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low attack complexity but requiring user interaction and low privileges.
An authenticated attacker with network access to a vulnerable GitLab instance can exploit this by crafting malicious HTML in test case titles. Victim user interaction is required to trigger the injection, after which the attacker can add unauthorized email addresses to the victim's account. This could enable further compromise, such as account takeover or unauthorized actions tied to the victim's permissions.
GitLab has remediated the issue through patch releases, including version 18.8.4 as announced in their release notes. Administrators should upgrade to GitLab 18.6.6 or later, 18.7.4 or later, or 18.8.4 or later to mitigate the vulnerability. Additional details are provided in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/584975 and the originating HackerOne report at https://hackerone.com/reports/3486862.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6217
Vulnerability details
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts…
more
through HTML injection in test case titles.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
HTML injection enables unauthorized addition of email addresses to victim accounts, directly facilitating account manipulation for potential takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of test-case title inputs to block the HTML injection that enables unauthorized email address addition.
Requires timely application of the vendor patches (18.6.6/18.7.4/18.8.4) that remediate the CWE-79 flaw in GitLab.
Enforces access-control decisions on account email modifications so that even a successful injection cannot alter victim accounts without proper authorization checks.