CVE-2026-10733

Vulnerability

GitLab CE/EE versions from 17.0 up to but not including 18.10.8, from 18.11 up to but not including 18.11.5, and 19.0 up to but not including 19.0.2 are affected. The vulnerability lies in the CI/CD Catalog page where improper input sanitization allows an authenticated user to inject crafted input that triggers a denial of service condition [1].

Exploitation

An attacker must be an authenticated GitLab user with access to the CI/CD Catalog page. By submitting specially crafted input (e.g., in a project description or similar field that is displayed on the catalog page), the attacker can cause the page to become unresponsive or crash, effectively denying service to other users viewing the catalog [1].

Impact

Successful exploitation results in denial of service affecting the CI/CD Catalog page. Other users may be unable to view or interact with the catalog. No data confidentiality or integrity impact is indicated; the issue is limited to availability.

Mitigation

The vulnerability is fixed in GitLab versions 18.10.8, 18.11.5, and 19.0.2, released on June 10, 2026 [1]. Users are advised to upgrade to one of these patched versions. No workarounds have been provided.