Scan free
MEDIUMCVE-2025-12669CVSS 5.4

CVE-2025-12669: XSS in GitLab Email Notifications

Platform

gitlab

Component

gitlab

Fixed in

18.11.3

View on NVD
Save

CVE-2025-12669 describes a cross-site scripting (XSS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an authenticated user to inject malicious HTML and JavaScript code into email notifications sent to other GitLab users. The vulnerability impacts versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. A fix is available in GitLab 18.11.3.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-12669 could allow an attacker to execute arbitrary JavaScript code within the context of a victim's GitLab account. This could lead to account takeover, data theft (including credentials, sensitive project data, and internal communications), and potentially even lateral movement within the GitLab environment. The injected script could be used to steal session cookies, redirect users to phishing sites, or deface GitLab pages. While the vulnerability requires authentication, a compromised account could provide a significant foothold for attackers, especially in organizations with privileged user accounts.

Exploitation Context

The vulnerability was published on 2026-05-14. Currently, there is no public evidence of active exploitation campaigns targeting CVE-2025-12669. The vulnerability's severity is rated as Medium, indicating a moderate probability of exploitation. No KEV listing or EPSS score is currently available. Review the official GitLab advisory for further details and updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgitlab
VendorGitLab
Minimum version15.11.0
Maximum version18.11.3
Fixed in18.11.3

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2025-12669 is to upgrade GitLab to version 18.11.3 or later. If immediate upgrading is not possible, consider implementing stricter input validation on user-generated content within GitLab, particularly any data that is included in email notifications. While a direct workaround is not available, reviewing and potentially restricting the permissions of accounts suspected of malicious activity can help limit the potential impact. After upgrading, confirm the fix by sending a test email notification containing a simple HTML tag (e.g., <script>alert('test')</script>) and verifying that the script does not execute when the email is viewed by another user.

How to fix

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad de inyección de código en las notificaciones por correo electrónico.  Esta actualización corrige la falta de sanitización adecuada de la entrada del usuario, previniendo la inyección de HTML y JavaScript.

Frequently asked questions

What is CVE-2025-12669 — XSS in GitLab Email Notifications?

CVE-2025-12669 is a cross-site scripting (XSS) vulnerability in GitLab CE/EE that allows authenticated users to inject malicious code into email notifications sent to other users due to improper input sanitization.

Am I affected by CVE-2025-12669 in GitLab Email Notifications?

You are affected if you are running GitLab CE/EE versions 15.11.0–18.11.3 and have not upgraded. Versions prior to 18.9.7, 18.10.6, and 18.11.3 are vulnerable.

How do I fix CVE-2025-12669 in GitLab Email Notifications?

Upgrade GitLab to version 18.11.3 or later to resolve the vulnerability. If immediate upgrading is not possible, consider stricter input validation.

Is CVE-2025-12669 being actively exploited?

There is currently no public evidence of active exploitation campaigns targeting CVE-2025-12669, but it remains a potential risk.

Where can I find the official GitLab advisory for CVE-2025-12669?

Refer to the official GitLab security advisory for detailed information and updates: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...