CVE-2025-4278 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Gitlab

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)6 documents6 sources

Severity

8.7HIGHNVD

EPSS

0.4%

top 40.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 12

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages5 packages

▶CVEListV5gitlab/gitlab18.0 — 18.0.2

▶NVDgitlab/gitlab18.0.0 — 18.0.2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-wjcq-cqhf-f7rm: An issue has been discovered in GitLab CE/EE affecting all versions starting with 18↗2025-06-12

▶

OSV

CVE-2025-4278: An issue has been discovered in GitLab CE/EE affecting all versions starting with 18↗2025-06-12

▶

📋Vendor Advisories

GitLab

CVE-2025-4278: An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new s↗2025-06-12

▶

Debian

CVE-2025-4278: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit...↗2025

▶

🕵️Threat Intelligence

Bleepingcomputer

GitLab patches high severity account takeover, missing auth issues↗2025-06-12

▶