GitLab CE/EE Remote Code Execution

GitLab is a web-based platform for version control, project management, and collaboration. This vulnerability allows an authenticated user to inject malicious HTML into code flow displays, potentially leading to unauthorized actions on behalf of other users.

You're affected if you use GitLab. Affected versions: 18.6.2, 18.4.6, 18.5.4 If you don't recognise this software, you're probably not affected.

1. Upgrade to GitLab 18.6.2 or later from the official GitLab website: https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/
2. If immediate upgrade isn't possible, set gitlab.rb configuration file to disable HTML injection: gitlab.com/gitlab-org/gitlab/-/blob/v18.6.2/.gitlab.rb (search for the exact file name)
3. Restrict network access to your GitLab instance (firewall it from the public internet) and monitor for suspicious activity.

• about.gitlab.com
• gitlab.com
• hackerone.com