GitLab Patches Code Execution, Information Disclosure Vulnerabilities

GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions. Next in line is CVE-2026-10712, an XSS in the Web IDE workbench asset handler that could have allowed unauthenticated attackers to execute JavaScript code in users’ browser sessions. The third high-severity vulnerability is CVE-2026-12053, described as an insufficient output filtering in Duo Workflows, which could have allowed users to access sensitive information already committed to a project. The fresh GitLab CE/EE updates also resolve seven medium-severity flaws, including authorization bypass, incorrect authorization, insufficient filtering, improper input validation, and improper access control issues. Successful exploitation of these bugs could have led to settings tampering, confidential information disclosure, DAST site profile secrets exfiltration, sensitive information being written to logs, content concealment, Maven package metadata overwrite, and package metadata disclosure. Patches for all these flaws were included in GitLab CE/EE versions 19.1.1, 19.0.3, and 18.11.6. Users are advised to update their deployments as soon as possible. “These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version,” GitLab notes. Related: 25-Year-Old Vulnerability Patched in Curl Related: Chrome 149 Update Resolves 18 Severe Vulnerabilities Related: Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs New ‘Mistic’ RAT Opens Door to Several Ransomware Families Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking BeyondTrust, LastPass Impacted by Klue-Salesforce Incident Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery Russian Initial Access Broker Behind FortiBleed Campaign Latest News Cal Water Finds No Evidence of OT Activity After Hackers Claimed They Could Disrupt Water Supply Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning 25-Year-Old Vulnerability Patched in Curl NIST Opens Updated IoT Security Guidance to Public Review Chrome 149 Update Resolves 18 Severe Vulnerabilities Cisco SD-WAN Zero-Day Exploited Months Before Patching When Information Becomes the Attack Surface – Understanding AI Agent Traps Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware Trending Webinar: How Modern Breaches Bypass MFA And Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation In The AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the Move Fable Security has appointed Jacob Berry as Chief Information Security Officer. iCOUNTER has named Ali Waezzadah as Chief Information Security Officer. Roger Hale has joined 1Kosmos as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email