Chrome and GitLab Release Security Patches for Multiple High-Severity Flaws
Google released a Chrome Stable desktop update to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, fixing 18 security issues, including four rated critical. The most serious bugs include two WebGL use-after-free flaws, an out-of-bounds read in Blink InterestGroups, and a use-after-free issue in Autofill, alongside 14 high-severity vulnerabilities affecting components such as GPU, Navigation, DevTools, Web Authentication, Passwords, Bluetooth, and WebView. Public details for some flaws were temporarily restricted until more users receive the update or dependent third-party libraries are patched, and the Canadian Centre for Cyber Security urged organizations to apply the update for versions earlier than the fixed releases.
GitLab also issued security patch releases 19.1.1, 19.0.3, and 18.11.6 for Community Edition and Enterprise Edition, addressing 13 vulnerabilities and urging self-managed customers to upgrade immediately. The most severe issue, CVE-2026-10086, is a high-severity cross-site scripting flaw in the Analytics Dashboard for GitLab EE with a CVSS score of 8.7; other notable issues include CVE-2026-10712, an unauthenticated XSS flaw in the Web IDE workbench asset handler, and CVE-2026-12053, an information disclosure bug in Duo Workflows. GitLab said GitLab.com had already been patched and GitLab Dedicated customers required no action, while warning that included database migrations may cause downtime on single-node deployments unless zero-downtime upgrade procedures are used in multi-node environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre issues GitLab advisory AV26-630
On 2026-06-24, the Canadian Centre for Cyber Security published advisory AV26-630 covering vulnerabilities in GitLab CE and EE versions prior to 19.1.1, 19.0.3, and 18.11.6. The notice directed users and administrators to review GitLab's advisory and apply the updates.
GitLab releases security patches 19.1.1, 19.0.3, and 18.11.6
On 2026-06-24, GitLab released security patch versions 19.1.1, 19.0.3, and 18.11.6 for Community Edition and Enterprise Edition and urged self-managed customers to upgrade immediately. The patches fixed 13 vulnerabilities, including high-severity issues such as CVE-2026-10086, while GitLab.com had already been patched.
Canadian Centre issues Chrome advisory AV26-626
On 2026-06-24, the Canadian Centre for Cyber Security distributed advisory AV26-626 about Google's Chrome vulnerabilities. The notice urged users and administrators to review Google's advisory and apply the necessary updates.
Google releases Chrome 149.0.7827.196/197 stable update
On 2026-06-23, Google announced a Chrome Stable channel update for Desktop to version 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux. The release included 18 security fixes, including four critical vulnerabilities, with rollout planned over the coming days and weeks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
GitLab Patches Code Execution, Information Disclosure Vulnerabilities - SecurityWeek
securityweek.com
Open sourceChrome 149 Security Update - Patch for Critical Flaws that Enable Code Execution Attacks
cybersecuritynews.com
Open sourceGitLab Multiple Vulnerabilities
hkcert.org
Open sourceGitLab security advisory (AV26-630) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceGitLab security advisory (AV26-630) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceGoogle Chrome security advisory (AV26-626) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceGoogle Chrome security advisory (AV26-626) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceGitLab Patch Release: 19.1.1, 19.0.3, 18.11.6 | GitLab Docs
docs.gitlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab patches 11 flaws including account takeover and XSS in CE and EE
GitLab released **19.0.2**, **18.11.5**, and **18.10.8** for self-managed Community Edition and Enterprise Edition deployments to fix **11 security vulnerabilities** and additional bugs, and urged administrators to upgrade immediately. The advisory says all versions before those releases are affected, while **GitLab.com** has already been patched and **GitLab Dedicated** customers do not need to take action. GitLab also warned that the update includes database migrations that may cause downtime on single-node instances, though multi-node environments can use zero-downtime upgrade procedures. The most severe issue, **`CVE-2026-6552`** (**CVSS 8.7**), is an improper authorization flaw in GitLab EE's Group SAML identity management that could let an authenticated **group Owner** take over another group member's account under certain conditions. GitLab also fixed **`CVE-2026-10087`**, an Analytics Dashboard cross-site scripting flaw in GitLab EE that could allow an authenticated **developer** to execute arbitrary client-side code in a victim's browser. The broader patch set addresses additional risks including denial of service in Grape API JSON parsing, SSRF, unauthorized access to confidential data, and other authorization bypasses, and government and vendor advisories have called on organizations to apply the patched versions.
Jun 11, 2026
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
Mar 27, 2026
GitLab patches CSRF and XSS flaws enabling token theft and browser-side code execution
GitLab disclosed and remediated three high-severity vulnerabilities in GitLab CE/EE that could be exploited by unauthenticated attackers under certain conditions. **CVE-2026-4922** is a cross-site request forgery flaw (`CWE-352`) that could let an attacker trigger GraphQL mutations as an authenticated user, while **CVE-2026-5262** is a cross-site scripting issue (`CWE-79`) that could expose tokens in the Storybook development environment. GitLab also fixed **CVE-2026-5816**, an improper path validation flaw (`CWE-41`) that could allow arbitrary JavaScript execution in a victim’s browser session. The issues affect multiple GitLab CE/EE release lines, with patched versions identified as **18.9.6**, **18.10.4**, and **18.11.1** depending on the flaw. CVE-2026-4922 affects versions from `17.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; CVE-2026-5262 affects versions from `16.1.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; and CVE-2026-5816 affects `18.10` before `18.10.4` and `18.11` before `18.11.1`. The vulnerabilities carry CVSS v3.1 ratings reflecting high confidentiality and integrity impact, and GitLab linked the disclosures to its patch release notice, internal work items, and HackerOne reports.
May 24, 2026