GitLab Patches 15 Security Flaws Including Critical XSS in Markdown Processing
GitLab has released critical security patches in versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 vulnerabilities, including a high-severity cross-site scripting flaw with a CVSS score of 8.7 that could enable session hijacking through crafted Markdown. Three additional high-severity denial-of-service bugs also received fixes.
GitLab has released critical security patches across three version branches — 18.9.2, 18.8.6, and 18.7.6 — addressing 15 vulnerabilities that affect both Community Edition and Enterprise Edition installations. The most severe issue, CVE-2026-1090, is a cross-site scripting vulnerability with a CVSS score of 8.7 that exploits a flaw in how GitLab processes Markdown placeholder elements.
The XSS Vulnerability
CVE-2026-1090 allows an attacker to bypass GitLab's HTML sanitization by crafting specific Markdown content that, when rendered, injects arbitrary JavaScript into the page. The attack requires the victim to view a page containing the malicious Markdown — such as an issue description, merge request comment, or wiki page. Successful exploitation could enable session hijacking, allowing the attacker to perform actions as the victim, including accessing private repositories and modifying code.
The vulnerability affects GitLab instances where users can create or edit Markdown content, which includes nearly all GitLab deployments. GitLab.com and GitLab Dedicated instances have already been patched.
Denial of Service Fixes
Three high-severity denial-of-service vulnerabilities, each rated CVSS 7.5, were also patched. CVE-2026-1069 targets the GraphQL API with queries that consume excessive server resources. CVE-2025-13929 affects the repository archive endpoint, where specially crafted requests can cause the server to generate enormous archive files. CVE-2025-14513 exploits the protected branches API to create resource exhaustion conditions.
All three DoS vulnerabilities can be triggered by authenticated users with minimal privileges, making them accessible to any registered user on public GitLab instances or any team member on private instances.
Upgrade Guidance
GitLab strongly recommends that all self-managed installations upgrade immediately to one of the patched versions. The security release follows GitLab's standard practice of publishing patches for the current and two previous minor versions, giving administrators flexibility in their upgrade path. Installations running versions older than 18.7 should plan an upgrade to a supported branch as soon as possible.
Related Articles
GitHub Expands Developer Platform with Actions Artifacts v5 and Copilot Extensions GA
GitHub has shipped Actions Artifacts v5 with immutable storage and artifact attestation for tamper-proof build outputs, alongside the general availability of Copilot Extensions that let third-party tools integrate directly into the Copilot chat experience. The platform also expanded GitHub Models with seven new providers.
Docker Engine 29.3 Ships with Native gRPC Support and BuildKit v0.28
Docker Engine 29.3.0 introduces native gRPC support on listening sockets, BuildKit v0.28.0, and a new bind-create-src option for flexible volume mounting. The release lowers the minimum API version to v1.40 for broader backward compatibility and fixes DNS configuration corruption during daemon reloads.
GitHub Adds Dependabot Pre-Commit Support and 28 New Secret Scanning Detectors
GitHub has shipped two major supply chain security features: Dependabot now parses .pre-commit-config.yaml files and opens PRs to update hook versions, while secret scanning gains 28 new detectors from 15 providers including Snowflake, Supabase, and Vercel. Push protection is now enabled by default for 39 secret types.