CVE-2026-34989: CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

April 3, 2026 (updated May 5, 2026)

The application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side.

This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS).

User-controlled profile fields (specifically the username / full name) are rendered unsafely across multiple application endpoints, including administrative and content-related interfaces. The application fails to apply proper output encoding when displaying these values.

When an administrator accesses affected pages, the stored XSS payload executes in the administrator’s browser context, resulting in administrative privilege escalation and potential full admin account takeover.

This issue is not limited to a single endpoint and affects all areas where the username is rendered, including but not limited to:

User management interfaces
Blog pages
Other content or UI components displaying usernames

References

Code Behaviors & Features

Detect and mitigate CVE-2026-34989 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →