CVE-2021-39946
Description
Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GitLab CE/EE 14.3-14.5.2 via improper neutralization of user input in emoji HTML generation allows arbitrary JavaScript execution.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2. The issue arises from improper neutralization of user input during the generation of HTML for emojis. Two sanitization bypasses were identified: one in the SyntaxHighlightFilter (server-side) and another in the gl-emoji custom element (frontend). The SyntaxHighlightFilter constructs HTML using unsanitized data-sourcepos attributes, while the gl-emoji element allows injection via the data-name attribute, bypassing the v-safe-html directive [1].
Exploitation
An authenticated attacker with the ability to create or edit issue comments can exploit this vulnerability. The attacker crafts a payload containing a ` tag with a malicious data-sourcepos attribute and a tag with a crafted data-name` attribute. When the comment is saved and later viewed by another user, the injected HTML is rendered, and the attacker's JavaScript executes in the context of the victim's browser. The exploit requires no additional user interaction beyond viewing the affected page. Self-managed GitLab instances are vulnerable; GitLab SaaS is not affected due to Content Security Policy (CSP) restrictions [1].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the browser of any user who views the malicious comment. This can lead to session hijacking, theft of sensitive data, or performing actions on behalf of the victim within the GitLab instance. The attacker gains the same privileges as the victim user.
Mitigation
GitLab has addressed this vulnerability in versions 14.3.7, 14.4.5, and 14.5.3. Users running affected versions should upgrade immediately. No workarounds are documented. GitLab SaaS instances are not vulnerable. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=14.3, <=14.3.6 || >=14.4, <=14.4.4 || >=14.5, <=14.5.2
- Range: >=14.3, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user input in the server-side SyntaxHighlightFilter and the client-side gl-emoji custom element allows injection of unescaped HTML attributes, leading to stored XSS."
Attack vector
An attacker who can post comments on issues, snippets, or other note-capable pages can inject a crafted payload into the comment field [ref_id=1]. The payload uses a `
Affected code
The vulnerability involves two code paths. On the server side, `SyntaxHighlightFilter` (in `lib/banzai/filter/syntax_highlight_filter.rb`) constructs HTML by interpolating the unsanitized `data-sourcepos` attribute directly into a `
What the fix does
The advisory does not include a published patch diff, but the issue was addressed in GitLab versions 14.3.6, 14.4.4, and 14.5.2 [ref_id=1]. The fix would require sanitizing the `data-sourcepos` attribute value in `SyntaxHighlightFilter` before interpolating it into the HTML string, and validating or escaping the `data-name` attribute of the `
Preconditions
- authAttacker must be able to post comments on issues, snippets, or other pages that support notes.
- configThe target must be a self-managed GitLab instance (the report notes GitLab SaaS is not vulnerable due to CSP).
- authNo special privileges beyond standard comment posting are required.
Reproduction
1. Launch a self-managed GitLab instance (e.g., version 14.4.2-ee). 2. Create an issue. 3. Paste the following payload into the comment field: `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39946.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/345657mitrex_refsource_MISC
- hackerone.com/reports/1398305mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.