CVE-2022-4092
Description
An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE 15.6 prior to 15.6.1 allows HTML injection in README files, enabling credential theft via a spoofed login form.
Vulnerability
An HTML injection vulnerability exists in GitLab EE versions 15.6 before 15.6.1. The issue is in the plain_unsafe method of the markup rendering service (file app/services/markup/rendering_service.rb, line 66) which directly includes user-supplied content in a ` tag without proper neutralization. Although the content is later sanitized by DOMPurify, the tag is allowed, enabling injection of arbitrary HTML forms into the README page when the file is named README` (without extension). [1]
Exploitation
An attacker with write access to a project can create a file named README containing HTML code that includes a malicious login form, for example using GitLab's own flash message styling. When a user views the project's main page, the injected HTML is rendered. The attacker can then trick the victim into entering their credentials into the spoofed form, which are sent to the attacker's controlled server. [1]
Impact
Successful exploitation allows an attacker to steal login credentials via a phishing attack, potentially leading to account takeover. The vulnerability does not allow full cross-site scripting (XSS) but can be used for credential theft due to the ability to inject `` elements. The impact is high as it targets authenticated users viewing project pages. [1]
Mitigation
GitLab has released version 15.6.1 which fixes the vulnerability. Users running GitLab EE 15.6 should upgrade to 15.6.1 immediately. No workarounds are available. The issue is tracked in GitLab issue #383208 and the fix was included in the patch release. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=15.6, <15.6.1
- Range: >=15.6, <15.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML escaping in the plain-text README rendering method allows injection of arbitrary HTML content."
Attack vector
An attacker creates a file named `README` (no extension) in a GitLab project and fills it with HTML content that closes the wrapping `
Affected code
The vulnerability is in the `plain_unsafe` method of `app/services/markup/rendering_service.rb`. The method wraps raw user-supplied text in a `
What the fix does
The advisory does not include a published patch diff. The expected correct behavior, as stated by the reporter, is that "HTML tag in a plain text should be escaped" [ref_id=1]. The fix would involve escaping HTML entities in the `plain_unsafe` method (or its replacement) so that user-supplied text is rendered as plain text rather than interpreted as markup.
Preconditions
- authAttacker must have permission to create or edit a file named `README` (no extension) in a GitLab project.
- inputVictim must visit the project's main page where the README is rendered.
Reproduction
1. In an existing GitLab project (or create a new one), add a file named `README` (no extension — `README.md` does not work). 2. Set the file content to the HTML payload provided in the HackerOne report, which includes a fake login form that submits credentials to an attacker-controlled server (e.g., `https://yvvdwf.me/gl`). 3. Save the file and navigate to the project's main page. After approximately 3 seconds, a login popup appears. 4. If a victim enters their credentials and submits the form, the username and password are sent to the attacker's server [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.