CVE-2025-6186

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-6186
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6186.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6186
Aliases
Downstream
Related
Published
2025-08-13T17:26:35.507Z
Modified
2026-04-10T05:32:48.487418Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.

Database specific 
{
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/6xxx/CVE-2025-6186.json",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
e0f3b86408aa4e7f03b63ac9e7dba6de1df14e93
Fixed
693bb5e6ca55d16970747e6a3157ab801608b758
Database specific 
{
    "versions": [
        {
            "introduced": "18.1"
        },
        {
            "fixed": "18.1.4"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
64403a0daee4413eb45b939590f37c351b8e72bf
Fixed
bef324d0853760755341c3ea7ca9469e4d962377
Database specific 
{
    "versions": [
        {
            "introduced": "18.2"
        },
        {
            "fixed": "18.2.2"
        }
    ]
}

Affected versions

v18.*
v18.1.0-ee
v18.2.0-ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6186.json"