{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1090", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-01-16T21:03:59.336Z", "datePublished": "2026-03-11T16:05:05.863Z", "dateUpdated": "2026-03-12T13:32:23.694Z"}, "containers": {"cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "10.6", "status": "affected", "lessThan": "18.7.6", "versionType": "semver"}, {"version": "18.8", "status": "affected", "lessThan": "18.8.6", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3502450", "name": "HackerOne Bug Bounty Report #3502450", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586478"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "credits": [{"lang": "en", "value": "Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:05.863Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T03:55:35.416843Z", "id": "CVE-2026-1090", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:32:23.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1090", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T03:55:35.416843Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:44:22.120Z"}}], "cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "10.6", "lessThan": "18.7.6", "versionType": "semver"}, {"status": "affected", "version": "18.8", "lessThan": "18.8.6", "versionType": "semver"}, {"status": "affected", "version": "18.9", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "references": [{"url": "https://hackerone.com/reports/3502450", "name": "HackerOne Bug Bounty Report #3502450", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586478"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:05.863Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1090", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:32:23.694Z", "dateReserved": "2026-01-16T21:03:59.336Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-11T16:05:05.863Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "0882CA9D-1946-4287-8982-D95757F43BF8", "versionEndExcluding": "18.7.6", "versionStartIncluding": "10.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E324666E-575A-4D81-B4A0-5C6070068C37", "versionEndExcluding": "18.7.6", "versionStartIncluding": "10.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "B703CB01-7F6D-4D6E-AE88-CF2F8012CA27", "versionEndExcluding": "18.8.6", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B1F834B-A628-4894-A531-1A2A60DD58D7", "versionEndExcluding": "18.8.6", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "44EAE9A6-5ED9-42F6-9BBD-0E2F8072F0D9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "12A2DEC0-C471-4C98-960C-405209403AB9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing."}], "id": "CVE-2026-1090", "lastModified": "2026-03-13T12:36:26.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T16:16:22.340", "references": [{"source": "cve@gitlab.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586478"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3502450"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.6,18.7.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.8,18.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.9,18.9.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-17T14:56:47.113058+00:00", "value": {"mitigation_remediation": ["Upgrade to GitLab version 18.7.6 or later, 18.8.6 or later, or 18.9.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects GitLab Community Edition (CE) and Enterprise Edition (EE) from early releases starting at 10.6 up to, but not including, 18.7.6, all 18.8 releases before 18.8.6, and all 18.9 releases before 18.9.2. The affected product is identified by the CPE entries provided for GitLab.", "description_and_impact": "An authenticated user can inject arbitrary JavaScript into any web page rendered by GitLab when the markdown_placeholders feature flag is enabled. The vulnerability is a result of improper sanitization of placeholder content inside Markdown processing, leading to a classic Reflected Cross\u2011Site Scripting (XSS) flaw. An attacker who gains access to a GitLab account could use this injection to execute arbitrary scripts in the victim's browser, potentially compromising personal credentials, session tokens, or other sensitive data visible to the user.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity level (High). The EPSS score is less than 1%, suggesting that the probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been tied to known, widespread exploitation campaigns. Exploitation requires the attacker to be an authenticated user with an enabled markdown_placeholders flag. Because the attack vector is a typical web interface action performed through a browser, the threat surface is limited to users with valid credentials and the feature flag set."}}}}, "created": "2026-03-12T09:58:12.624648+00:00", "updated": "2026-03-20T15:30:47.462448+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}