CVE-2026-2995
Published: 25 March 2026
Summary
CVE-2026-2995 is a high-severity Basic XSS (CWE-80) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-2995 is a vulnerability in GitLab Enterprise Edition (EE) affecting all versions from 15.4 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The flaw arises from improper sanitization of HTML content, enabling an authenticated user to add email addresses to targeted user accounts. It is associated with CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N).
An authenticated attacker with low privileges (PR:L) could exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation would allow the attacker to modify targeted user accounts by adding unauthorized email addresses, resulting in high impacts to confidentiality and integrity (C:H/I:H) within a changed scope (S:C), with no availability disruption (A:N).
GitLab has remediated the issue, with fixes included in versions 18.8.7, 18.9.3, and 18.10.1. Security practitioners should upgrade to these patched versions. Additional details are available in the GitLab patch release notes at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/, the associated work item at https://gitlab.com/gitlab-org/gitlab/-/work_items/591065, and the HackerOne disclosure report at https://hackerone.com/reports/3564600.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15811
Vulnerability details
GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper…
more
sanitization of HTML content.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct modification of targeted user accounts via unauthorized addition of email addresses (XSS-driven HTML injection), mapping to Account Manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires information input validation mechanisms to prevent improper HTML sanitization that enables injection of malicious content for unauthorized account modifications.
Mandates output filtering techniques to neutralize script-related HTML tags, addressing the XSS nature of the vulnerability and preventing exploitation.
Ensures timely identification, reporting, and correction of flaws like improper HTML sanitization through patching, as demonstrated by GitLab's remediation.