Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Code injection in GitLab EE Code Quality reports

IdentifiersCVE-2026-1516CWE-94· Improper Control of Generation of…

GitLab EE contains a code injection issue in Code Quality reports affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. According to the provided advisory context, an authenticated user could place specially crafted content into a Code Quality report such that when another user viewed the report, the injected content would trigger outbound requests that exposed the viewer’s IP address. The issue is described as a code injection flaw in the report rendering or handling path for Code Quality report content, resulting in client-side information leakage rather than direct server-side code execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to disclose the IP addresses of users who view a maliciously crafted Code Quality report. This can reveal network location information about report viewers, including potentially internal or otherwise non-public IP addresses depending on deployment topology and client access path. The provided context does not indicate broader compromise such as account takeover or server-side code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting who can create or upload Code Quality report content, limiting access to Code Quality reports to trusted users, and avoiding rendering untrusted report artifacts. Monitoring for unexpected external requests triggered during report viewing may help detect exploitation attempts. Specific vendor-endorsed temporary mitigations beyond upgrading were not provided in the supplied content.

Remediation

Patch, then assume compromise.

Upgrade GitLab EE to a fixed release: 18.8.9 or later in the 18.8 series, 18.9.5 or later in the 18.9 series, or 18.10.3 or later in the 18.10 series. GitLab urged self-managed customers to upgrade immediately. GitLab.com was already patched, and GitLab Dedicated customers did not need to take action.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GitLabGitlabapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Apr 10, 2026
GitLab Security Update Fixes CVE-2026-5173 Flaw

A code injection vulnerability in GitLab Code Quality reports that could expose user IP addresses.

Read more
cyber security newsNews
Apr 9, 2026
GitLab Patches Multiple Vulnerabilities That Enables DoS and Code Injection Attacks

A medium-severity GitLab code-injection issue in Code Quality reports that could leak the IP addresses of users viewing a malicious report.

Read more
gitlab releasesNews
Apr 8, 2026
GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 | GitLab

A code injection issue in GitLab EE Code Quality reports that could allow an authenticated user to leak the IP addresses of users viewing a maliciously crafted report.

Read more
docs gitlabNews
Oct 1, 2018
GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 | GitLab Docs

A code injection issue in GitLab EE Code Quality reports that could allow an authenticated user to leak viewers' IP addresses via crafted content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-1516
NVD
nvd.nist.gov/vuln/detail/CVE-2026-1516
MITRE CWE · CWE-94
Improper Control of Generation of Code ('Code…
Vendor Advisory
about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released
Permissions Required
hackerone.com/reports/3514461