CVE-2025-9222 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 89.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 9

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5gitlab/gitlab18.6 — 18.6.3+1

▶NVDgitlab/gitlab18.2.2 — 18.5.5+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-p9cp-qq4c-2wr5: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18↗2026-01-09

▶

📋Vendor Advisories

Red Hat

gitlab: GitLab: Stored Cross-Site Scripting via GitLab Flavored Markdown↗2026-01-09

▶

GitLab

CVE-2025-9222: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could↗2026-01-09

▶

Debian

CVE-2025-9222: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2....↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-9222 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶