無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-7377CVSS 8.7

CVE-2026-7377: XSS in GitLab Customizable Analytics Dashboards

プラットフォーム

gitlab

コンポーネント

gitlab

修正版

18.11.3

NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability discovered in GitLab EE. This flaw allows an authenticated user to inject and execute arbitrary JavaScript code within the context of other users' browsers when interacting with customizable analytics dashboards. The vulnerability impacts GitLab versions 18.7.0 through 18.11.3, and a fix is available in version 18.11.3.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-7377 could lead to significant consequences for GitLab users. An attacker could leverage this XSS vulnerability to steal session cookies, enabling them to impersonate other users and gain unauthorized access to sensitive data and functionalities. This could include accessing project repositories, modifying configurations, or even escalating privileges within the GitLab instance. The impact is particularly severe as it affects customizable analytics dashboards, which are often used by administrators and project managers to monitor key metrics, potentially exposing critical information to malicious actors. The ability to execute arbitrary JavaScript provides a broad attack surface, allowing for diverse malicious actions beyond simple cookie theft.

悪用の状況翻訳中…

CVE-2026-7377 was published on May 14, 2026. Severity is assessed as HIGH (CVSS 8.7). No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Refer to the official GitLab security advisory for further details and context.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

CISA SSVC

悪用状況none
自動化可能no
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N8.7HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントgitlab
ベンダーGitLab
最小バージョン18.7.0
最大バージョン18.11.3
修正版18.11.3

弱点分類 (CWE)

CWE-79

タイムライン

  1. 予約済み
  2. 公開日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-7377 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrading is not feasible, consider restricting access to customizable analytics dashboards to trusted users only. Implement strict input validation and output encoding on all user-supplied data within these dashboards to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review GitLab’s security best practices for dashboard customization to minimize the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a customizable analytics dashboard and confirming it is properly sanitized and does not execute.

修正方法翻訳中…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior. Esta actualización corrige una vulnerabilidad de Cross-Site Scripting (XSS) en los paneles analíticos personalizables, evitando la ejecución de código JavaScript malicioso en el navegador de otros usuarios.

よくある質問翻訳中…

What is CVE-2026-7377 — XSS in GitLab Customizable Analytics Dashboards?

CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability in GitLab EE affecting versions 18.7.0–18.11.3. It allows an authenticated user to execute JavaScript in other users' browsers via customizable analytics dashboards due to improper input sanitization.

Am I affected by CVE-2026-7377 in GitLab Customizable Analytics Dashboards?

If you are running GitLab EE versions 18.7.0 through 18.11.3, you are potentially affected by this vulnerability. Verify your GitLab version and upgrade accordingly.

How do I fix CVE-2026-7377 in GitLab Customizable Analytics Dashboards?

Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Restrict dashboard access and implement input validation as interim measures.

Is CVE-2026-7377 being actively exploited?

As of the current assessment, there are no reports of active exploitation or public exploits for CVE-2026-7377.

Where can I find the official GitLab advisory for CVE-2026-7377?

Refer to the official GitLab security advisory for CVE-2026-7377, which can be found on the GitLab security announcements page: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...