Cyber Resilience

CVE-2026-1090

High

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0023 13.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1090 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-1090 is a cross-site scripting vulnerability (CWE-79) affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 10.6 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. The flaw arises from improper sanitization of placeholder content during markdown processing when the `markdown_placeholders` feature flag is enabled, enabling JavaScript injection in a browser.

An authenticated user can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. Exploitation allows the attacker to inject malicious JavaScript, resulting in high confidentiality and integrity impacts with a changed scope, as reflected in its CVSS 3.1 score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

GitLab remediated the issue with patches released in versions 18.7.6, 18.8.6, and 18.9.2, as documented in the patch release notes for 18.9.2. Additional details are provided in GitLab work item 586478 and the originating HackerOne report 3502450.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in…

more

a browser due to improper sanitization of placeholder content in markdown processing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS enables direct injection and execution of arbitrary JavaScript in the victim's browser context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6073Same product: Gitlab Gitlab
CVE-2026-7377Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-0555Same product: Gitlab Gitlab
CVE-2024-10383Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
10.6.0 — 18.7.6 · 10.6.0 — 18.7.6 · 18.8.0 — 18.8.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of information outputs during markdown processing to prevent JavaScript injection from unsanitized placeholder content.

prevent

SI-10 mandates validation of placeholder content inputs to ensure proper sanitization before markdown rendering, directly mitigating the XSS flaw.

prevent

SI-2 ensures timely patching of the sanitization vulnerability, as demonstrated by GitLab's fixes in versions 18.7.6, 18.8.6, and 18.9.2.

References