{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3254", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-02-26T11:33:27.873Z", "datePublished": "2026-04-22T16:29:48.833Z", "dateUpdated": "2026-04-22T17:39:44.965Z"}, "containers": {"cna": {"title": "Improper Restriction of Rendered UI Layers or Frames in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "18.11", "status": "affected", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames", "cweId": "CWE-1021", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3572752", "name": "HackerOne Bug Bounty Report #3572752", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591587"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.11.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:29:48.833Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:39:38.576809Z", "id": "CVE-2026-3254", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:39:44.965Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:39:38.576809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:39:41.713Z"}}], "cna": {"title": "Improper Restriction of Rendered UI Layers or Frames in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "18.11", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.11.1 or above."}], "references": [{"url": "https://hackerone.com/reports/3572752", "name": "HackerOne Bug Bounty Report #3572752", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591587"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:29:48.833Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3254", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:39:44.965Z", "dateReserved": "2026-02-26T11:33:27.873Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-22T16:29:48.833Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox."}], "id": "CVE-2026-3254", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:43.433", "references": [{"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591587"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3572752"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:58:59.714543+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.11.1 or later, which contains the full fix for the Mermaid sandbox validation issue.", "Restrict Mermaid diagram creation to trusted users or roles to minimize the number of users who can inject content.", "If necessary, disable Mermaid diagram rendering in the UI until a patch is produced, which removes the attack surface entirely."], "summary": {"action": "Patch", "impact": "Unauthorized Content Injection via Mermaid Rendering"}, "threat_synthesis": {"affected_systems": "GitLab Community Edition and Enterprise Edition are affected for all releases starting from 18.11 up to, but excluding, 18.11.1. The vulnerability applies across both web and internal API endpoints where Mermaid diagrams are processed and displayed to authenticated users.", "description_and_impact": "This vulnerability arises from improper input validation in GitLab's Mermaid sandbox, enabling an authenticated user to embed malicious content that renders in another user's browser. The failure to correctly restrict rendered UI layers or frames allows the injection of unauthorized content, potentially leading to a compromised user experience. While the primary impact is the execution of unintended browser-side rendering, the effect is confined to the rendering context and does not provide direct database or system compromise.", "risk_and_exploitability": "The CVSS score of 3.5 indicates a low overall severity; the lack of an EPSS score signals no publicly available indicator of exploitation attempts, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers require authenticated access and the ability to supply or modify Mermaid diagrams, so the attack vector is most plausibly limited to privileged users within the organization. Given the limited scope and the requirement for authenticated access, the likelihood of widespread exploitation is low, though the potential for internal misuse remains. The inadequacy in input validation directly contributes to a CWE-1021 condition, emphasizing a failure in anti\u2011tampering controls."}}}}, "created": "2026-04-22T18:00:05.473298+00:00", "updated": "2026-04-22T18:00:05.473323+00:00", "vendors": []}