Cyber Resilience

CVE-2026-2995

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0008 24.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2995 is a high-severity Basic XSS (CWE-80) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-2995 is a vulnerability in GitLab Enterprise Edition (EE) affecting all versions from 15.4 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The flaw arises from improper sanitization of HTML content, enabling an authenticated user to add email addresses to targeted user accounts. It is associated with CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N).

An authenticated attacker with low privileges (PR:L) could exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation would allow the attacker to modify targeted user accounts by adding unauthorized email addresses, resulting in high impacts to confidentiality and integrity (C:H/I:H) within a changed scope (S:C), with no availability disruption (A:N).

GitLab has remediated the issue, with fixes included in versions 18.8.7, 18.9.3, and 18.10.1. Security practitioners should upgrade to these patched versions. Additional details are available in the GitLab patch release notes at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/, the associated work item at https://gitlab.com/gitlab-org/gitlab/-/work_items/591065, and the HackerOne disclosure report at https://hackerone.com/reports/3564600.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper…

more

sanitization of HTML content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Vulnerability enables direct modification of targeted user accounts via unauthorized addition of email addresses (XSS-driven HTML injection), mapping to Account Manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0595Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-0475Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2025-6948Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-9222Same product: Gitlab Gitlab
CVE-2025-0811Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
18.10.0 · 15.4.0 — 18.8.7 · 18.9.0 — 18.9.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires information input validation mechanisms to prevent improper HTML sanitization that enables injection of malicious content for unauthorized account modifications.

prevent

Mandates output filtering techniques to neutralize script-related HTML tags, addressing the XSS nature of the vulnerability and preventing exploitation.

prevent

Ensures timely identification, reporting, and correction of flaws like improper HTML sanitization through patching, as demonstrated by GitLab's remediation.

References