CVE-2026-1090

Summary

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the markdown_placeholders feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab10.6 < 18.7.6affected
GitLabGitLab18.8 < 18.8.6affected
GitLabGitLab18.9 < 18.9.2affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References