CVE-2026-1516 — Improper Control of Generation of Code ('Code Injection') in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.

How to fix CVE-2026-1516

To remediate CVE-2026-1516, upgrade the affected package to a fixed version below.

—upgrade to 18.8.9 or later

Is CVE-2026-1516 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 18.0.0, < 18.8.9, >= 18.9.0, < 18.9.5, >= 18.10.0, < 18.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References (4)

WEBabout.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
WEBgitlab.com/gitlab-org/gitlab/-/work_items/587893
WEBhackerone.com/reports/3514461
WEBnvd.nist.gov/vuln/detail/CVE-2026-1516