Home / Vulnerability Intelligence / CVE-2026-1090

CVE-2026-1090 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 11, 2026

GitLab CE/EE - Stored XSS

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

GitLab CE/EE >= 10.6 < 18.7.6, >= 18.8 < 18.8.6, and >= 18.9 < 18.9.2 contain a stored XSS caused by improper sanitization of placeholder content in markdown processing with markdown_placeholders feature enabled, letting authenticated users inject JavaScript in browsers.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 1.9%(Probability of exploitation in next 30 days)

Impact

Authenticated users can inject JavaScript in browsers, leading to client-side script execution and potential session hijacking.

Mitigation

Update to versions 18.7.6, 18.8.6, 18.9.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🟠 CVE-2026-1090 - High (8.7) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1090/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-1090
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: new
EPSS: 1.9%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

1.9%Probability of exploitation in the next 30 days