Main Vulnerability Database Vulnerabilities #VU124606

#VU124606 Stored cross-site scripting in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-2973

Published: March 25, 2026 / Updated: March 26, 2026

Vulnerability identifier: #VU124606

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-2973

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gitlab Community Edition
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote user to execute arbitrary JavaScript in a user's browser.

The vulnerability exists due to improper sanitization of entity-encoded content in the Mermaid diagram renderer when rendering content. A remote user can inject malicious Mermaid diagrams containing encoded scripts, which when viewed by another user, execute arbitrary JavaScript in their browser.

Remediation

Install security update from vendor's website.

External links

https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/

#VU124606 Stored cross-site scripting in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-2973

Description

Remediation

External links

Please verify you're human