Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-7377: XSS in GitLab Customizable Analytics Dashboards
Plataforma
gitlab
Componente
gitlab
Corrigido em
18.11.3
CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability discovered in GitLab EE. This flaw allows an authenticated user to inject and execute arbitrary JavaScript code within the context of other users' browsers when interacting with customizable analytics dashboards. The vulnerability impacts GitLab versions 18.7.0 through 18.11.3, and a fix is available in version 18.11.3.
Impacto e Cenários de Ataquetraduzindo…
Successful exploitation of CVE-2026-7377 could lead to significant consequences for GitLab users. An attacker could leverage this XSS vulnerability to steal session cookies, enabling them to impersonate other users and gain unauthorized access to sensitive data and functionalities. This could include accessing project repositories, modifying configurations, or even escalating privileges within the GitLab instance. The impact is particularly severe as it affects customizable analytics dashboards, which are often used by administrators and project managers to monitor key metrics, potentially exposing critical information to malicious actors. The ability to execute arbitrary JavaScript provides a broad attack surface, allowing for diverse malicious actions beyond simple cookie theft.
Contexto de Exploraçãotraduzindo…
CVE-2026-7377 was published on May 14, 2026. Severity is assessed as HIGH (CVSS 8.7). No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Refer to the official GitLab security advisory for further details and context.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-7377 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrading is not feasible, consider restricting access to customizable analytics dashboards to trusted users only. Implement strict input validation and output encoding on all user-supplied data within these dashboards to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review GitLab’s security best practices for dashboard customization to minimize the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a customizable analytics dashboard and confirming it is properly sanitized and does not execute.
Como corrigirtraduzindo…
Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior. Esta actualización corrige una vulnerabilidad de Cross-Site Scripting (XSS) en los paneles analíticos personalizables, evitando la ejecución de código JavaScript malicioso en el navegador de otros usuarios.
Perguntas frequentestraduzindo…
What is CVE-2026-7377 — XSS in GitLab Customizable Analytics Dashboards?
CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability in GitLab EE affecting versions 18.7.0–18.11.3. It allows an authenticated user to execute JavaScript in other users' browsers via customizable analytics dashboards due to improper input sanitization.
Am I affected by CVE-2026-7377 in GitLab Customizable Analytics Dashboards?
If you are running GitLab EE versions 18.7.0 through 18.11.3, you are potentially affected by this vulnerability. Verify your GitLab version and upgrade accordingly.
How do I fix CVE-2026-7377 in GitLab Customizable Analytics Dashboards?
Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Restrict dashboard access and implement input validation as interim measures.
Is CVE-2026-7377 being actively exploited?
As of the current assessment, there are no reports of active exploitation or public exploits for CVE-2026-7377.
Where can I find the official GitLab advisory for CVE-2026-7377?
Refer to the official GitLab security advisory for CVE-2026-7377, which can be found on the GitLab security announcements page: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...