Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-7377: XSS in GitLab Customizable Analytics Dashboards
Plateforme
gitlab
Composant
gitlab
Corrigé dans
18.11.3
CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability discovered in GitLab EE. This flaw allows an authenticated user to inject and execute arbitrary JavaScript code within the context of other users' browsers when interacting with customizable analytics dashboards. The vulnerability impacts GitLab versions 18.7.0 through 18.11.3, and a fix is available in version 18.11.3.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2026-7377 could lead to significant consequences for GitLab users. An attacker could leverage this XSS vulnerability to steal session cookies, enabling them to impersonate other users and gain unauthorized access to sensitive data and functionalities. This could include accessing project repositories, modifying configurations, or even escalating privileges within the GitLab instance. The impact is particularly severe as it affects customizable analytics dashboards, which are often used by administrators and project managers to monitor key metrics, potentially exposing critical information to malicious actors. The ability to execute arbitrary JavaScript provides a broad attack surface, allowing for diverse malicious actions beyond simple cookie theft.
Contexte d'Exploitationtraduction en cours…
CVE-2026-7377 was published on May 14, 2026. Severity is assessed as HIGH (CVSS 8.7). No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Refer to the official GitLab security advisory for further details and context.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-7377 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrading is not feasible, consider restricting access to customizable analytics dashboards to trusted users only. Implement strict input validation and output encoding on all user-supplied data within these dashboards to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review GitLab’s security best practices for dashboard customization to minimize the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a customizable analytics dashboard and confirming it is properly sanitized and does not execute.
Comment corrigertraduction en cours…
Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior. Esta actualización corrige una vulnerabilidad de Cross-Site Scripting (XSS) en los paneles analíticos personalizables, evitando la ejecución de código JavaScript malicioso en el navegador de otros usuarios.
Questions fréquentestraduction en cours…
What is CVE-2026-7377 — XSS in GitLab Customizable Analytics Dashboards?
CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability in GitLab EE affecting versions 18.7.0–18.11.3. It allows an authenticated user to execute JavaScript in other users' browsers via customizable analytics dashboards due to improper input sanitization.
Am I affected by CVE-2026-7377 in GitLab Customizable Analytics Dashboards?
If you are running GitLab EE versions 18.7.0 through 18.11.3, you are potentially affected by this vulnerability. Verify your GitLab version and upgrade accordingly.
How do I fix CVE-2026-7377 in GitLab Customizable Analytics Dashboards?
Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Restrict dashboard access and implement input validation as interim measures.
Is CVE-2026-7377 being actively exploited?
As of the current assessment, there are no reports of active exploitation or public exploits for CVE-2026-7377.
Where can I find the official GitLab advisory for CVE-2026-7377?
Refer to the official GitLab security advisory for CVE-2026-7377, which can be found on the GitLab security announcements page: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...