CVE-2025-11224 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting CWE-825 — Expired Pointer Dereference8 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 89.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Linux Kernel Debian Gitlab +1 more

Timeline

PublishedJan 14

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5gitlab/gitlab15.10 — 18.3.6+2

▶NVDgitlab/gitlab15.10.0 — 18.3.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

Patches

Patch: about.gitlab.com ↗

🔴Vulnerability Details

OSV

CVE-2025-11224: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15↗2026-01-14

▶

GHSA

GHSA-x45w-x744-4hj7: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15↗2026-01-14

▶

OSV

smb: client: fix potential cfid UAF in smb2_query_info_compound↗2025-12-08

▶

📋Vendor Advisories

GitLab

CVE-2025-11224: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could↗2026-01-14

▶

Red Hat

kernel: smb: client: fix potential cfid UAF in smb2_query_info_compound↗2025-12-08

▶

Debian

CVE-2025-11224: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11224 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶