PatchSiren cyber security CVE debrief
CVE-2026-10087 GitLab CVE debrief
CVE-2026-10087 is a HIGH-severity vulnerability in GitLab EE. An authenticated user with developer-role permissions could execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard. The CVSS score is 8.7.
- Vendor
- GitLab
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of GitLab EE versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 should be aware of this vulnerability and take action to remediate.
Technical summary
The vulnerability exists in GitLab EE due to improper input sanitization in the Analytics Dashboard. An authenticated user with developer-role permissions can execute arbitrary client-side code on behalf of a targeted user.
Defensive priority
HIGH
Recommended defensive actions
- Update to GitLab EE version 18.10.8, 18.11.5, or 19.0.2 or later.
- Review and restrict user permissions to prevent exploitation.
Evidence notes
GitLab has remediated the issue. References include GitLab release notes and HackerOne report.
Official resources
CVE-2026-10087 was published on 2026-06-11T12:16:30.820Z and modified on 2026-06-11T15:22:48.573Z.