GitLab Patches 13 Vulnerabilities Including Three High-Severity XSS and Information Disclosure Flaws
GitLab released security updates fixing 13 vulnerabilities in Community and Enterprise Editions, including three high-severity bugs that could enable code execution and information disclosure.
GitLab has rolled out security updates for both Community Edition (CE) and Enterprise Edition (EE) that patch 13 vulnerabilities, including three high-severity flaws. The most critical of these is CVE-2026-10086, a stored cross-site scripting (XSS) vulnerability in the Analytics dashboard of GitLab EE. According to GitLab, the bug stems from improper sanitization of user-supplied input, allowing an authenticated user with developer rights to execute arbitrary client-side code in the context of other users' sessions.
The second high-severity issue, CVE-2026-10712, is an XSS vulnerability in the Web IDE workbench asset handler. Unlike the first flaw, this one can be exploited by unauthenticated attackers to execute JavaScript code in users' browser sessions, making it particularly dangerous for organizations that expose the Web IDE to external users. The third high-severity bug, CVE-2026-12053, involves insufficient output filtering in Duo Workflows, which could allow users to access sensitive information already committed to a project.
In addition to the three high-severity vulnerabilities, the updates address seven medium-severity flaws spanning authorization bypass, incorrect authorization, insufficient filtering, improper input validation, and improper access control issues. Successful exploitation of these medium-severity bugs could lead to settings tampering, confidential information disclosure, DAST site profile secrets exfiltration, sensitive information being written to logs, content concealment, Maven package metadata overwrite, and package metadata disclosure.
GitLab has included patches for all these vulnerabilities in versions 19.1.1, 19.0.3, and 18.11.6. The company strongly recommends that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com, the company's cloud-hosted offering, is already running the patched version, meaning SaaS customers do not need to take action.
The disclosure comes as part of a broader wave of security updates from major software vendors this week. GitLab's advisory follows similar patch releases from Node.js, Jenkins, and Curl, highlighting the ongoing challenge of maintaining security across complex software supply chains.
Organizations running self-managed GitLab instances should prioritize updating their deployments, particularly given the severity of the XSS vulnerabilities that could be exploited to compromise user sessions. GitLab's advisory notes that the company is not aware of any active exploitation of these vulnerabilities in the wild at the time of publication, but the detailed disclosure of the flaws makes it likely that attackers will attempt to reverse-engineer exploits.