GITLAB has issued urgent security updates for its Community and Enterprise Editions after discovering three high‑severity cross‑site scripting flaws in the Analytics dashboard.
The most serious issue, tracked as CVE-2026-10086 with a CVSS score of 8.7, is a stored XSS that lets an authenticated user inject malicious scripts into dashboard widgets, which then execute in the sessions of other users viewing the same panel.
A second flaw, CVE-2026-10712 rated CVSS 8.0, is a reflected XSS that can be triggered by an unauthenticated attacker who convinces a victim to follow a specially crafted URL, causing arbitrary JavaScript to run in the victim’s browser.
The third vulnerability, CVE-2026-12053 carries a CVSS of 8.6 and exposes sensitive project data through insufficient input validation in API endpoints that feed the Analytics interface.
All versions of GitLab CE/EE 19.1 prior to 19.1.1, 19.0 before 19.0.3 and 18.11 earlier than 18.11.6 are affected; no active exploitation has been observed in the wild and no threat actors have been linked to these bugs.
Administrators should upgrade immediately to the patched releases 19.1.1, 19.0.3 or 18.11.6, which are available from the standard repositories, and verify the update status through the admin dashboard.
If an immediate upgrade is not feasible, limit access to the Analytics dashboard to trusted network segments, enforce a strict Content‑Security‑Policy header to block inline scripts, and monitor web‑access logs for unexpected requests containing script tags or unusual query strings.
After applying patches, organisations should confirm that backups of configuration and data are intact, re‑run any internal security scanners to validate the fixes, and subscribe to the GitLab security mailing list to receive future advisories without delay.