CVE-2018-19570
Description
GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE before 11.3.11, 11.4.8, and 11.5.1 is vulnerable to persistent XSS via crafted Markdown with an unrecognized HTML tag and a javascript link.
Vulnerability
In GitLab CE/EE versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, the Markdown parser does not properly sanitize unrecognized HTML tags. This allows an attacker to insert a malicious ` tag followed by a markdown link with a javascript:` URL, which becomes clickable in the rendered output [1]. The vulnerability is present in any field that uses the Markdown editor, such as issue descriptions, comments, and snippet descriptions.
Exploitation
An attacker must have an account on the GitLab instance and be able to create or edit content using the Markdown editor (e.g., issues, comments, snippets). The attacker crafts a payload with an unrecognized HTML tag on one line, then a markdown link with a javascript: URL on the next line. The payload is submitted; when another user clicks the link (which may be disguised as an issue reference), the JavaScript executes in the context of the victim's session [1]. No elevated privileges are required beyond the ability to add Markdown content.
Impact
Successful exploitation leads to persistent cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's browser within the GitLab domain. This can result in session hijacking, defacement, or access to sensitive information displayed on the page. The XSS is considered high severity (CVSS 8.8) due to the potential for account takeover and privilege escalation [1].
Mitigation
GitLab released fixed versions: 11.3.11, 11.4.8, and 11.5.1. Upgrade to these versions or later to remediate the vulnerability. No workarounds are documented; blocking unrecognized HTML tags via a web application firewall may provide partial protection but is not a complete solution. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/CE/EEdescription
- Range: >=11.3, <11.3.11 || >=11.4, <11.4.8 || >=11.5, <11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Markdown renderer fails to properly sanitize or neutralize JavaScript URLs in links that follow an unrecognized HTML tag, allowing the browser to execute attacker-controlled JavaScript."
Attack vector
An attacker crafts a Markdown payload consisting of an unrecognized HTML tag (e.g., `
Affected code
The vulnerability exists in the GitLab Markdown renderer, which processes user-supplied content in issue descriptions, comments, and snippet descriptions. The flaw is triggered when an unrecognized HTML tag (e.g., `
What the fix does
The advisory does not include a patch diff, but the fix addresses the Markdown renderer's handling of unrecognized HTML tags. The remediation ensures that when an unrecognized tag precedes a Markdown link, the link is no longer rendered as clickable HTML with a `javascript:` URL. This closes the XSS vector by preventing the browser from executing attacker-controlled JavaScript when the link is clicked. No further technical details about the specific code change are available in the provided bundle.
Preconditions
- authThe attacker must be able to create or edit Markdown content (e.g., issue descriptions, comments, or snippets) on a GitLab instance.
- inputThe victim must click the crafted link rendered by the Markdown editor.
- inputThe payload must include a newline after the unrecognized HTML tag for the exploit to work.
Reproduction
1. Create a new issue on a GitLab instance. 2. Enter any arbitrary title in the "Title" field. 3. On the "Write" tab of the "Description" field, paste the payload: `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.securityfocus.com/bid/109169mitrevdb-entryx_refsource_BID
- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ce/issues/52392mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.