PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-12669 Hackerone CVE debrief

GitLab has patched a medium-severity issue in GitLab CE/EE that could let an authenticated user inject HTML and JavaScript into email notifications sent to other users. The affected range is all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. The published CVSS vector indicates network reachability, low attack complexity, low privileges required, and user interaction required.

Vendor
Hackerone
Product
Unknown
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

GitLab CE/EE administrators, security teams, and anyone relying on GitLab email notifications for collaboration or approvals should care. User accounts with permission to create or edit content that triggers notifications are the main exposure point.

Technical summary

According to the advisory, improper input sanitization allowed an authenticated user to inject HTML and JavaScript into email notifications delivered to other users. The issue is tracked as CWE-94 (Improper Control of Generation of Code). The NVD entry lists CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that successful exploitation depends on authenticated access and recipient interaction.

Defensive priority

Medium. Prioritize prompt patching if your GitLab instance sends notifications to broad user populations or external recipients, or if untrusted users can trigger notifications.

Recommended defensive actions

  • Upgrade GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3 or later, depending on your release track.
  • Inventory any GitLab deployments still on 15.11 through the affected pre-patch versions and schedule remediation.
  • Review which users can create content or actions that trigger email notifications, and limit privileges where possible.
  • Validate that email security controls and client-side protections are in place, recognizing that the core fix is to upgrade GitLab.
  • Monitor GitLab security advisories and release notes for follow-up guidance related to this issue.

Evidence notes

The issue was publicly published on 2026-05-14 in the supplied CVE metadata and GitHub Advisory Database mirror, with GitLab’s patch release referenced from 2026-05-13. The advisory states that authenticated users could inject HTML and JavaScript into email notifications due to improper input sanitization. The NVD record lists CWE-94 and CVSS v3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. References include the CVE record, NVD, HackerOne report 3368096, the GitLab 18.11.3 release post, and the related GitLab work item.

Official resources

Publicly disclosed on 2026-05-14, with GitLab’s referenced patch release published on 2026-05-13.