免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-7377CVSS 8.7

CVE-2026-7377: XSS in GitLab Customizable Analytics Dashboards

平台

gitlab

组件

gitlab

修复版本

18.11.3

在NVD查看
保存
正在翻译为您的语言…

CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability discovered in GitLab EE. This flaw allows an authenticated user to inject and execute arbitrary JavaScript code within the context of other users' browsers when interacting with customizable analytics dashboards. The vulnerability impacts GitLab versions 18.7.0 through 18.11.3, and a fix is available in version 18.11.3.

影响与攻击场景翻译中…

Successful exploitation of CVE-2026-7377 could lead to significant consequences for GitLab users. An attacker could leverage this XSS vulnerability to steal session cookies, enabling them to impersonate other users and gain unauthorized access to sensitive data and functionalities. This could include accessing project repositories, modifying configurations, or even escalating privileges within the GitLab instance. The impact is particularly severe as it affects customizable analytics dashboards, which are often used by administrators and project managers to monitor key metrics, potentially exposing critical information to malicious actors. The ability to execute arbitrary JavaScript provides a broad attack surface, allowing for diverse malicious actions beyond simple cookie theft.

利用背景翻译中…

CVE-2026-7377 was published on May 14, 2026. Severity is assessed as HIGH (CVSS 8.7). No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Refer to the official GitLab security advisory for further details and context.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告1 份威胁报告

CISA SSVC

利用情况none
可自动化no
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N8.7HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
无 — 无可用性影响。

受影响的软件

组件gitlab
供应商GitLab
最低版本18.7.0
最高版本18.11.3
修复版本18.11.3

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-7377 is to upgrade GitLab EE to version 18.11.3 or later. If immediate upgrading is not feasible, consider restricting access to customizable analytics dashboards to trusted users only. Implement strict input validation and output encoding on all user-supplied data within these dashboards to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review GitLab’s security best practices for dashboard customization to minimize the attack surface. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a customizable analytics dashboard and confirming it is properly sanitized and does not execute.

修复方法翻译中…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior. Esta actualización corrige una vulnerabilidad de Cross-Site Scripting (XSS) en los paneles analíticos personalizables, evitando la ejecución de código JavaScript malicioso en el navegador de otros usuarios.

常见问题翻译中…

What is CVE-2026-7377 — XSS in GitLab Customizable Analytics Dashboards?

CVE-2026-7377 is a Cross-Site Scripting (XSS) vulnerability in GitLab EE affecting versions 18.7.0–18.11.3. It allows an authenticated user to execute JavaScript in other users' browsers via customizable analytics dashboards due to improper input sanitization.

Am I affected by CVE-2026-7377 in GitLab Customizable Analytics Dashboards?

If you are running GitLab EE versions 18.7.0 through 18.11.3, you are potentially affected by this vulnerability. Verify your GitLab version and upgrade accordingly.

How do I fix CVE-2026-7377 in GitLab Customizable Analytics Dashboards?

Upgrade GitLab EE to version 18.11.3 or later to resolve the vulnerability. Restrict dashboard access and implement input validation as interim measures.

Is CVE-2026-7377 being actively exploited?

As of the current assessment, there are no reports of active exploitation or public exploits for CVE-2026-7377.

Where can I find the official GitLab advisory for CVE-2026-7377?

Refer to the official GitLab security advisory for CVE-2026-7377, which can be found on the GitLab security announcements page: [https://about.gitlab.com/security/advisories/](https://about.gitlab.com/security/advisories/)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...