MEDIUM SeverityCVSS 3.15.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2025-12669

Last updated May 14, 2026 · Published May 14, 2026

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.

Affected products

1 listed

GitLab:GitLab

Mappings

CWE

CWE-94

CAPEC

None listed.

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…
Template InjectionExplains how untrusted input can be executed by template engines on server or client. Covers safe templating…

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.

CVE-2025-12669

Description

Affected products

Mappings

Related