GitLab CE and EE versions prior to 19.1.1, 19.0.3, and 18.11.6 contain multiple security vulnerabilities including three high-severity defects: CVE-2026-10086, an XSS flaw in the Analytics dashboard allowing authenticated developers to execute arbitrary client-side code in other users' sessions; CVE-2026-10712, an XSS in the Web IDE workbench asset handler exploitable by unauthenticated attackers; and CVE-2026-12053, an insufficient output filtering vulnerability in Duo Workflows that could expose sensitive committed project information. Additional medium-severity issues include authorization bypass, improper input validation, and information disclosure risks. Exploitation could lead to code execution, confidential information leakage, settings tampering, and metadata manipulation. GitLab has released patches in versions 19.1.1, 19.0.3, and 18.11.6 to address these issues. The vendor confirms that GitLab.com is already running patched versions.

Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary JavaScript code in the context of other users' sessions, potentially leading to session hijacking or unauthorized actions. Sensitive project information could be disclosed due to insufficient output filtering. Medium-severity flaws could result in authorization bypass, confidential data exposure, and tampering with settings or metadata. These impacts affect the confidentiality and integrity of GitLab deployments.

Patches addressing all identified vulnerabilities are included in GitLab CE/EE versions 19.1.1, 19.0.3, and 18.11.6. Users of self-managed GitLab installations should upgrade to one of these versions immediately. GitLab.com is already running the patched versions, so no action is required for the cloud service. There are no indications that additional mitigations beyond applying the official updates are necessary.