{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5262", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-03-31T16:33:39.916Z", "datePublished": "2026-04-22T16:04:36.550Z", "dateUpdated": "2026-04-22T18:08:34.142Z"}, "containers": {"cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.1.0", "status": "affected", "lessThan": "18.9.6", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.4", "versionType": "semver"}, {"version": "18.11", "status": "affected", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/595332"}, {"url": "https://hackerone.com/reports/3574642", "name": "HackerOne Bug Bounty Report #3574642", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:04:36.550Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:08:25.203207Z", "id": "CVE-2026-5262", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:08:34.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T18:08:25.203207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:08:29.547Z"}}], "cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.1.0", "lessThan": "18.9.6", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.4", "versionType": "semver"}, {"status": "affected", "version": "18.11", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/595332"}, {"url": "https://hackerone.com/reports/3574642", "name": "HackerOne Bug Bounty Report #3574642", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:04:36.550Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5262", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:08:34.142Z", "dateReserved": "2026-03-31T16:33:39.916Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-22T16:04:36.550Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation."}], "id": "CVE-2026-5262", "lastModified": "2026-04-22T17:16:44.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:44.437", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/595332"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3574642"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:23:54.757097+00:00", "value": {"mitigation_remediation": ["Upgrade the GitLab installation to version 18.9.6, 18.10.4, 18.11.1 or later to apply the vendor fix.", "Restrict or disable public access to the Storybook development environment so that only authorized developers can view it.", "If an upgrade cannot be performed immediately, block external traffic to the Storybook endpoint until the patch is applied."], "summary": {"action": "Patch Now", "impact": "Unauthorized Token Exposure via XSS"}, "threat_synthesis": {"affected_systems": "All GitLab Community Edition and Enterprise Edition releases from 16.1.0 up to, but not including, 18.9.6, 18.10.4, and 18.11.1 are affected. No other versions were reported to be vulnerable.", "description_and_impact": "GitLab CE/EE contains an improper input validation flaw that can trigger cross\u2011site scripting when a user visits the Storybook development interface. The flaw allows an unauthenticated attacker to inject code that runs in the victim\u2019s browser, which can then read development\u2011environment tokens that should not be publicly exposed. The bug is identified as a CWE\u201179 vulnerability and could lead to credential theft or other malicious actions executed in the context of the victim\u2019s session.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8, indicating high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the exploit requires unauthenticated access to the Storybook interface, the attack vector is a remote, web\u2011based attack that can be performed by anyone with network visibility to the development environment. Successful exploitation could allow an attacker to read or exfiltrate tokens, compromising credential confidentiality and potentially enabling further lateral movement."}}}}, "created": "2026-04-22T18:30:23.753363+00:00", "updated": "2026-04-22T18:30:23.753372+00:00", "vendors": []}