CVE-2025-4278 | THREATINT

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.

PUBLISHED Reserved 2025-05-05 | Published 2025-06-12 | Updated 2025-06-12 | Assigner GitLab

HIGH: 8.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

Default status

unaffected

18.0 (semver) before 18.0.2

affected

Credits

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program finder

References

gitlab.com/gitlab-org/gitlab/-/issues/539198 (GitLab Issue #539198) issue-tracking permissions-required

hackerone.com/reports/3085738 (HackerOne Bug Bounty Report #3085738) technical-description exploit permissions-required

cve.org (CVE-2025-4278)

nvd.nist.gov (CVE-2025-4278)

Download JSON