CVE-2025-12716

CVE-2025-12716 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in versions 18.4 prior to 18.4.6, 18.5 prior to 18.5.4, and 18.6 prior to 18.6.2. The flaw enables an authenticated user, under certain conditions, to create wiki pages containing malicious content that could lead to unauthorized actions performed on behalf of another user. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and cross-scope impact on confidentiality and integrity.

An attacker with authenticated access to a vulnerable GitLab instance can exploit this by crafting and uploading wiki pages with malicious payloads. If another user interacts with the content—such as viewing or editing the wiki page—the payload executes in the victim's browser context, potentially allowing the attacker to perform actions as the victim user. This could result in high-impact confidentiality breaches, like data exfiltration, and integrity violations, such as unauthorized modifications, all without affecting availability.

GitLab has remediated the issue through patch releases, including GitLab 18.6.2, as detailed in their release notes. Security practitioners should upgrade affected instances to GitLab 18.4.6, 18.5.4, or 18.6.2 or later versions. Additional details are available in the GitLab issue tracker (gitlab.com/gitlab-org/gitlab/-/issues/579548) and the originating HackerOne report (hackerone.com/reports/3405832).