CVE-2025-13761 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

9.6CRITICALNVD

EPSS

0.0%

top 86.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 9

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages5 packages

▶CVEListV5gitlab/gitlab18.6 — 18.6.3+1

▶NVDgitlab/gitlab18.6.0 — 18.6.3+1

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-3r2c-p78w-vg88: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18↗2026-01-09

▶

📋Vendor Advisories

Red Hat

gitlab: GitLab: Cross-Site Scripting Vulnerability Leading to Arbitrary Code Execution↗2026-01-09

▶

GitLab

CVE-2025-13761: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unaut↗2026-01-09

▶

Debian

CVE-2025-13761: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13761 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶