Cyber Resilience

CVE-2026-0595

High

Published: 11 February 2026

Published
11 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0008 23.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0595 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0595 is an HTML injection vulnerability (CWE-79) in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 13.9 prior to 18.6.6, 18.7 prior to 18.7.4, and 18.8 prior to 18.8.4. The flaw occurs in test case titles, where under certain conditions an authenticated user could inject HTML to add unauthorized email addresses to victim accounts. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low attack complexity but requiring user interaction and low privileges.

An authenticated attacker with network access to a vulnerable GitLab instance can exploit this by crafting malicious HTML in test case titles. Victim user interaction is required to trigger the injection, after which the attacker can add unauthorized email addresses to the victim's account. This could enable further compromise, such as account takeover or unauthorized actions tied to the victim's permissions.

GitLab has remediated the issue through patch releases, including version 18.8.4 as announced in their release notes. Administrators should upgrade to GitLab 18.6.6 or later, 18.7.4 or later, or 18.8.4 or later to mitigate the vulnerability. Additional details are provided in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/584975 and the originating HackerOne report at https://hackerone.com/reports/3486862.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts…

more

through HTML injection in test case titles.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

HTML injection enables unauthorized addition of email addresses to victim accounts, directly facilitating account manipulation for potential takeover.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2995Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-0475Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2025-6948Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-9222Same product: Gitlab Gitlab
CVE-2025-0811Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
13.9.0 — 18.6.6 · 13.9.0 — 18.6.6 · 18.7.0 — 18.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of test-case title inputs to block the HTML injection that enables unauthorized email address addition.

prevent

Requires timely application of the vendor patches (18.6.6/18.7.4/18.8.4) that remediate the CWE-79 flaw in GitLab.

prevent

Enforces access-control decisions on account email modifications so that even a successful injection cannot alter victim accounts without proper authorization checks.

References