CVE-2026-5816

Exploit

EPSS 0.01%
Veröffentlicht 22.04.2026 16:04:26
Zuletzt bearbeitet 23.04.2026 20:30:30
Quelle cve@gitlab.com
CVE-Watchlists
Login
Unerledigt
Login

Improper Resolution of Path Equivalence in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitlab ≫ GitLab SwEditioncommunity Version >= 18.10.0 < 18.10.4

Gitlab ≫ GitLab SwEditionenterprise Version >= 18.10.0 < 18.10.4

Gitlab ≫ GitLab Version18.11.0 SwEditioncommunity

Gitlab ≫ GitLab Version18.11.0 SwEditionenterprise

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.019

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
cve@gitlab.com	8	1.6	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-41 Improper Resolution of Path Equivalence

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/

Vendor Advisory

Release Notes

https://hackerone.com/reports/3572231

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/work_items/592816

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2026-5816

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5816

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5816

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5816