CVE-2026-4332
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated GitLab EE user can execute arbitrary JavaScript in other users' browsers via customizable analytics dashboards due to improper input sanitization.
Vulnerability
This vulnerability affects GitLab Enterprise Edition (EE) versions 18.2 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3. The root cause is improper input sanitization in customizable analytics dashboards, allowing an authenticated user to inject arbitrary JavaScript [1].
Exploitation
An attacker must be authenticated to the GitLab instance and have access to the customizable analytics dashboard feature. The attack vector is stored XSS: the malicious JavaScript is saved and later executed when other users view the dashboard. No additional privileges beyond a valid user account are required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, data theft, or other actions performed impersonating the victim user within the GitLab session [1]. The vulnerability is rated Medium (CVSS 5.4).
Mitigation
GitLab has released patched versions 18.8.9, 18.9.5, and 18.10.3. Self-managed instances should upgrade immediately; GitLab.com and GitLab Dedicated customers are already protected [1]. No workarounds are mentioned; upgrading is the recommended action.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*range: >=18.2.0,<18.8.9
- (no CPE)range: >=18.2, <18.8.9; >=18.9, <18.9.5; >=18.10, <18.10.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/nvdRelease NotesVendor Advisory
- hackerone.com/reports/3600345nvdPermissions Required
News mentions
1- GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9GitLab Security Releases · Apr 8, 2026