CVE-2026-1090
MEDIUM WAF: High
CVSS 5.4
Published: 2026-03-11
CWE-79
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing.
WAF Coverage Analysis
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gitlab | gitlab | 10.6.0 - 18.7.6 |
| gitlab | gitlab | 10.6.0 - 18.7.6 |
| gitlab | gitlab | 18.8.0 - 18.8.6 |
| gitlab | gitlab | 18.8.0 - 18.8.6 |
| gitlab | gitlab | 18.9.0 - 18.9.2 |
| gitlab | gitlab | 18.9.0 - 18.9.2 |
References
- about.gitlab.com (Release Notes, Vendor Advisory)
- gitlab.com (Broken Link)
- hackerone.com (Permissions Required)