VYPR
patchPublished Jul 8, 2026· 1 source

GitLab Releases Patches for Multiple High and Medium Severity Vulnerabilities

GitLab has issued urgent patch releases (19.1.2, 19.0.4, 18.11.7) to address several security flaws, including critical Cross-Site Scripting and HTML Injection vulnerabilities.

GitLab has released critical patch versions 19.1.2, 19.0.4, and 18.11.7 for its Community Edition (CE) and Enterprise Edition (EE) to address a range of vulnerabilities, some of which carry high severity ratings. The company strongly advises all self-managed GitLab installations to upgrade immediately to one of these patched versions. GitLab.com has already been updated, and GitLab Dedicated customers require no action.

The security updates tackle several critical issues, including a High severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-6896) in the vulnerability evidence table renderer, which could allow an authenticated user with developer permissions to execute arbitrary scripts in another user's browser session due to improper input sanitization. Another High severity flaw, CVE-2026-13320, involves HTML Injection in wiki markup rendering, also potentially enabling script execution in a user's browser session.

Medium severity vulnerabilities have also been remediated. These include Insufficiently Protected Credentials (CVE-2026-11827) in repository mirroring, which could allow a maintainer-role user to obtain stored credentials due to improper authorization controls. Additionally, an Improper Access Control issue (CVE-2026-8472) in work items could permit authenticated users with minimal access to read metadata from private projects. A Missing Authorization vulnerability (CVE-2026-7492) in commit discussion display could allow an unauthenticated user to discover private projects.

Several other vulnerabilities, rated Low, have also been patched. These include issues related to Ambiguity Reference in tags or branches (CVE-2025-12506), Incorrect Authorization in group-level settings (CVE-2026-13151) and compliance violation management (CVE-2026-13151), and improper handling of Git reference name resolution. These patches are part of GitLab's regular security release cycle, which includes scheduled releases twice a month and ad-hoc critical patches for high-severity vulnerabilities.

The company emphasizes its commitment to maintaining the highest security standards for all customer-facing aspects of GitLab and data hosting. To uphold good security hygiene, upgrading to the latest patch release for a supported version is highly recommended. Detailed information on best practices for securing GitLab instances is available in their blog posts.

GitLab's security fixes are disclosed publicly on their issue tracker 90 days after the release in which they were patched. The vulnerabilities addressed in these recent patch releases were reported by security researchers through GitLab's HackerOne bug bounty program, with acknowledgments provided for each reported issue. The specific impacted versions for each vulnerability are detailed, allowing administrators to assess their exposure and prioritize upgrades.

Users are urged to consult the official GitLab security release notes for detailed information on each vulnerability, including CVSS scores and affected version ranges. Promptly applying these patches is crucial to mitigate the risk of exploitation and protect sensitive data and system integrity. The company reiterates that for any product where a specific deployment type is not mentioned, all types are considered affected.

This release underscores the ongoing need for vigilance in software supply chain security, as even mature platforms like GitLab require continuous patching to defend against evolving threats. Organizations relying on GitLab should ensure their update processes are robust and that security advisories are monitored closely.

Synthesized by Vypr AI