此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-6335 is a Cross-Site Scripting (XSS) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an authenticated user, under specific conditions, to execute arbitrary code within the browser session of another user. The vulnerability impacts GitLab versions 18.11.0 through 18.11.3, and a fix is available in version 18.11.3.
影响与攻击场景翻译中…
Successful exploitation of CVE-2026-6335 could allow an attacker to impersonate another user within GitLab, potentially gaining access to sensitive data or performing actions on their behalf. This could include viewing private repositories, modifying project settings, or even accessing administrative functions if the targeted user possesses elevated privileges. The impact is amplified if the targeted user has access to critical infrastructure or sensitive data, leading to a broader compromise of the GitLab instance. The ability to execute code within another user's browser session represents a significant security risk, as it bypasses traditional authentication mechanisms.
利用背景翻译中…
CVE-2026-6335 was published on 2026-05-14. As of this date, there are no publicly known active campaigns exploiting this vulnerability. No public Proof-of-Concept (POC) code has been released. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) and has a low EPSS (Exploit Prediction Scoring System) score, indicating a relatively low probability of exploitation in the wild.
威胁情报
漏洞利用状态
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 低 — 任何有效用户账户均可。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 无 — 无可用性影响。
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-6335 is to immediately upgrade GitLab to version 18.11.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on user-supplied data within GitLab. While not a direct fix, this can help reduce the attack surface. Review GitLab's security configuration and ensure that all security features are enabled and properly configured. Monitor GitLab logs for any suspicious activity that might indicate exploitation attempts.
修复方法翻译中…
Actualice GitLab a la versión 18.11.3 o posterior para mitigar la vulnerabilidad de Cross-Site Scripting (XSS). Esta actualización corrige la sanitización inadecuada de la entrada, previniendo la ejecución de código arbitrario en el navegador de otros usuarios.
常见问题翻译中…
What is CVE-2026-6335 — XSS in GitLab 18.11?
CVE-2026-6335 is a Cross-Site Scripting (XSS) vulnerability in GitLab CE/EE versions 18.11.0 through 18.11.3. It allows an authenticated user to potentially execute code in another user's browser session.
Am I affected by CVE-2026-6335 in GitLab 18.11?
If you are running GitLab CE or EE versions 18.11.0, 18.11.1, 18.11.2, or 18.11.3, you are potentially affected by this vulnerability. Upgrade to 18.11.3 or later.
How do I fix CVE-2026-6335 in GitLab 18.11?
The recommended fix is to upgrade GitLab to version 18.11.3 or a later version. This patch addresses the improper sanitization issue.
Is CVE-2026-6335 being actively exploited?
As of 2026-05-14, there are no publicly known active campaigns exploiting this vulnerability, and no public POC code is available.
Where can I find the official GitLab advisory for CVE-2026-6335?
Refer to the official GitLab security advisory for CVE-2026-6335 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...