Scanner gratuitement

Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-6335CVSS 5.4

CVE-2026-6335: XSS in GitLab 18.11

traduction en cours…

Plateforme

gitlab

Composant

gitlab

Corrigé dans

18.11.3

Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-6335 is a Cross-Site Scripting (XSS) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an authenticated user, under specific conditions, to execute arbitrary code within the browser session of another user. The vulnerability impacts GitLab versions 18.11.0 through 18.11.3, and a fix is available in version 18.11.3.

Impact et Scénarios d'Attaquetraduction en cours…

Successful exploitation of CVE-2026-6335 could allow an attacker to impersonate another user within GitLab, potentially gaining access to sensitive data or performing actions on their behalf. This could include viewing private repositories, modifying project settings, or even accessing administrative functions if the targeted user possesses elevated privileges. The impact is amplified if the targeted user has access to critical infrastructure or sensitive data, leading to a broader compromise of the GitLab instance. The ability to execute code within another user's browser session represents a significant security risk, as it bypasses traditional authentication mechanisms.

Contexte d'Exploitationtraduction en cours…

CVE-2026-6335 was published on 2026-05-14. As of this date, there are no publicly known active campaigns exploiting this vulnerability. No public Proof-of-Concept (POC) code has been released. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) and has a low EPSS (Exploit Prediction Scoring System) score, indicating a relatively low probability of exploitation in the wild.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4MEDIUMAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionRequiredSi une action de la victime est requiseScopeChangedImpact au-delà du composant affectéConfidentialityLowRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityNoneRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
Scope
Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
Confidentiality
Faible — accès partiel ou indirect à certaines données.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantgitlab
FournisseurGitLab
Version minimale18.11.0
Version maximale18.11.3
Corrigé dans18.11.3

Classification de Faiblesse (CWE)

CWE-79

Chronologie

  1. Réservé
  2. Publiée

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-6335 is to immediately upgrade GitLab to version 18.11.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on user-supplied data within GitLab. While not a direct fix, this can help reduce the attack surface. Review GitLab's security configuration and ensure that all security features are enabled and properly configured. Monitor GitLab logs for any suspicious activity that might indicate exploitation attempts.

Comment corrigertraduction en cours…

Actualice GitLab a la versión 18.11.3 o posterior para mitigar la vulnerabilidad de Cross-Site Scripting (XSS). Esta actualización corrige la sanitización inadecuada de la entrada, previniendo la ejecución de código arbitrario en el navegador de otros usuarios.

Questions fréquentestraduction en cours…

What is CVE-2026-6335 — XSS in GitLab 18.11?

CVE-2026-6335 is a Cross-Site Scripting (XSS) vulnerability in GitLab CE/EE versions 18.11.0 through 18.11.3. It allows an authenticated user to potentially execute code in another user's browser session.

Am I affected by CVE-2026-6335 in GitLab 18.11?

If you are running GitLab CE or EE versions 18.11.0, 18.11.1, 18.11.2, or 18.11.3, you are potentially affected by this vulnerability. Upgrade to 18.11.3 or later.

How do I fix CVE-2026-6335 in GitLab 18.11?

The recommended fix is to upgrade GitLab to version 18.11.3 or a later version. This patch addresses the improper sanitization issue.

Is CVE-2026-6335 being actively exploited?

As of 2026-05-14, there are no publicly known active campaigns exploiting this vulnerability, and no public POC code is available.

Where can I find the official GitLab advisory for CVE-2026-6335?

Refer to the official GitLab security advisory for CVE-2026-6335 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

CVE-2026-6335 — Vulnerability Details | NextGuard