Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2025-12669: XSS in GitLab Email Notifications
Platform
gitlab
Component
gitlab
Opgelost in
18.11.3
CVE-2025-12669 describes a cross-site scripting (XSS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an authenticated user to inject malicious HTML and JavaScript code into email notifications sent to other GitLab users. The vulnerability impacts versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. A fix is available in GitLab 18.11.3.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-12669 could allow an attacker to execute arbitrary JavaScript code within the context of a victim's GitLab account. This could lead to account takeover, data theft (including credentials, sensitive project data, and internal communications), and potentially even lateral movement within the GitLab environment. The injected script could be used to steal session cookies, redirect users to phishing sites, or deface GitLab pages. While the vulnerability requires authentication, a compromised account could provide a significant foothold for attackers, especially in organizations with privileged user accounts.
Uitbuitingscontextwordt vertaald…
The vulnerability was published on 2026-05-14. Currently, there is no public evidence of active exploitation campaigns targeting CVE-2025-12669. The vulnerability's severity is rated as Medium, indicating a moderate probability of exploitation. No KEV listing or EPSS score is currently available. Review the official GitLab advisory for further details and updates.
Dreigingsinformatie
Exploit Status
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-12669 is to upgrade GitLab to version 18.11.3 or later. If immediate upgrading is not possible, consider implementing stricter input validation on user-generated content within GitLab, particularly any data that is included in email notifications. While a direct workaround is not available, reviewing and potentially restricting the permissions of accounts suspected of malicious activity can help limit the potential impact. After upgrading, confirm the fix by sending a test email notification containing a simple HTML tag (e.g., <script>alert('test')</script>) and verifying that the script does not execute when the email is viewed by another user.
Hoe te verhelpenwordt vertaald…
Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad de inyección de código en las notificaciones por correo electrónico. Esta actualización corrige la falta de sanitización adecuada de la entrada del usuario, previniendo la inyección de HTML y JavaScript.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-12669 — XSS in GitLab Email Notifications?
CVE-2025-12669 is a cross-site scripting (XSS) vulnerability in GitLab CE/EE that allows authenticated users to inject malicious code into email notifications sent to other users due to improper input sanitization.
Am I affected by CVE-2025-12669 in GitLab Email Notifications?
You are affected if you are running GitLab CE/EE versions 15.11.0–18.11.3 and have not upgraded. Versions prior to 18.9.7, 18.10.6, and 18.11.3 are vulnerable.
How do I fix CVE-2025-12669 in GitLab Email Notifications?
Upgrade GitLab to version 18.11.3 or later to resolve the vulnerability. If immediate upgrading is not possible, consider stricter input validation.
Is CVE-2025-12669 being actively exploited?
There is currently no public evidence of active exploitation campaigns targeting CVE-2025-12669, but it remains a potential risk.
Where can I find the official GitLab advisory for CVE-2025-12669?
Refer to the official GitLab security advisory for detailed information and updates: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...