GitLab Patches High-Severity Stored XSS and Web IDE Flaws in Emergency January 2026 Release
GitLab released versions 18.7.1, 18.6.3, and 18.5.5 on January 7, 2026, fixing multiple vulnerabilities including two high-severity cross-site scripting flaws in Markdown placeholders and the Web IDE.
GitLab released emergency patch versions 18.7.1, 18.6.3, and 18.5.5 for Community Edition and Enterprise Edition on January 7, 2026, fixing a total of eight security vulnerabilities. The most critical of these are CVE-2025-9222, a stored cross-site scripting issue in GitLab Flavored Markdown placeholders rated CVSS 8.7, and CVE-2025-13761, a cross-site scripting vulnerability in the Web IDE rated CVSS 8.0. Both allow attackers to execute arbitrary JavaScript in the context of a victim's browser, with the stored XSS requiring only an authenticated user to exploit and the Web IDE flaw potentially exploitable by an unauthenticated attacker who tricks a legitimate user into visiting a malicious webpage.
The stored XSS vulnerability, reported by researcher yvvdvf via GitLab's HackerOne bug bounty program, affects all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1. The Web IDE issue, reported by researcher joaxcar, similarly affects 18.6 and 18.7 pre-patch versions. Both were given high severity ratings and represent the most impactful risks in this batch. GitLab's security advisory notes that the Web IDE flaw requires user interaction but can cross privilege boundaries, making it a serious attack vector for targeted phishing campaigns.
Beyond the XSS fixes, GitLab patched CVE-2025-13772, a missing authorization vulnerability in the Duo Workflows API affecting GitLab EE versions from 18.4 onward, rated CVSS 7.1. This flaw, discovered internally by GitLab team member Jessie Young, allowed an authenticated user to access and modify AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. A related AI GraphQL mutation authorization bypass, CVE-2025-13781, discovered by researcher pwnie, could allow authenticated users to modify instance-wide AI provider settings without proper access control, rated CVSS 6.5.
The update also addresses CVE-2025-10569, a denial-of-service vulnerability in the import functionality that could be triggered by providing crafted responses to external API calls, affecting all versions from 8.3 onward. This medium-severity flaw rated CVSS 6.5 could allow authenticated users to disrupt service availability. Additionally, an insufficient access control granularity bug in the GraphQL runnerUpdate mutation, CVE-2025-11246, rated CVSS 5.4, allowed users with specific permissions to remove project runners from unrelated projects. Both were reported through the HackerOne program, the latter also by pwnie.
A low-severity information disclosure issue in Mermaid diagram rendering, CVE-2025-3950, completes the set of fixes. This flaw could allow a user to leak sensitive connection information by referencing specially crafted images that bypass asset proxy protection, affecting versions from 10.3 onward. GitLab credits researcher rog for the report. GitLab.com was already running patched versions at the time of the advisory's publication, while GitLab Dedicated customers required no action. Self-managed installations on the affected version tracks are urged to upgrade immediately.
The January patch release underscores the ongoing challenge of securing a rapidly evolving development platform that now integrates AI-powered features like Duo Workflows and AI GraphQL mutations. As GitLab expands its AI capabilities, the attack surface widens, and authorization gaps in these new features become critical targets. Administrators should prioritize this update not only for the high-severity XSS fixes but also for the privilege escalation risks posed by the AI-related authorization bugs, which could allow lateral movement within an organization's GitLab instance.