GitLab Patches Code Execution, Information Disclosure Vulnerabilities

Summary

GitLab has released security updates for its Community Edition (CE) and Enterprise Edition (EE) to address 13 vulnerabilities. Three of these are high-severity, including an XSS flaw in the Analytics dashboard (CVE-2026-10086) allowing client-side code execution, an XSS in the Web IDE (CVE-2026-10712) enabling JavaScript execution, and an insufficient output filtering issue in Duo Workflows (CVE-2026-12053) that could lead to sensitive information disclosure. Users are strongly advised to update to the patched versions immediately.

Full text

GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions. Next in line is CVE-2026-10712, an XSS in the Web IDE workbench asset handler that could have allowed unauthenticated attackers to execute JavaScript code in users’ browser sessions. The third high-severity vulnerability is CVE-2026-12053, described as an insufficient output filtering in Duo Workflows, which could have allowed users to access sensitive information already committed to a project. The fresh GitLab CE/EE updates also resolve seven medium-severity flaws, including authorization bypass, incorrect authorization, insufficient filtering, improper input validation, and improper access control issues.Advertisement. Scroll to continue reading. Successful exploitation of these bugs could have led to settings tampering, confidential information disclosure, DAST site profile secrets exfiltration, sensitive information being written to logs, content concealment, Maven package metadata overwrite, and package metadata disclosure. Patches for all these flaws were included in GitLab CE/EE versions 19.1.1, 19.0.3, and 18.11.6. Users are advised to update their deployments as soon as possible. “These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version,” GitLab notes. Related: 25-Year-Old Vulnerability Patched in Curl Related: Chrome 149 Update Resolves 18 Severe Vulnerabilities Related: Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware FamiliesExploitable CI/CD Vulnerabilities Expose Millions of Repositories to HijackingBeyondTrust, LastPass Impacted by Klue-Salesforce IncidentData Exposure Flaws Threaten Dify AI Platform Used by 1 Million AppsFFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over DiscoveryRussian Initial Access Broker Behind FortiBleed Campaign Latest News Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCisco SD-WAN Zero-Day Exploited Months Before PatchingWhen Information Becomes the Attack Surface – Understanding AI Agent TrapsMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwareExclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveFable Security has appointed Jacob Berry as Chief Information Security Officer.iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.Roger Hale has joined 1Kosmos as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-12053
• cve — CVE-2026-10086
• cve — CVE-2026-10712

Entities