HTML injection in Test Case name leads to ATO

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3486862 by joaxcar on 2026-01-04, imported by @katwu:

Report | Attachments | How To Reproduce

Original Report

Summary

The title of test cases use the title as is in a v-safe-html attribute. This allows an attacker to inject payloads that will trigger Javascript actions as shown in other similar reports.

Steps to reproduce
  1. Create a new Ultimate project
  2. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/quality/test_cases/new
    and name a new test case
<REDACTED>
  1. In the list of test cases click the new testcase. should have an URL like https://gitlab.com/GROUPNAME/PROJECTNAME/-/quality/test_cases/1
  2. Copy the full URL of the site
  3. Go to https://joaxcar.com/fun/delay/prep_poc_vuln.php and paste the URL in the box and submit (this will prepare the attack)
  4. Go to the URL again and now this time click anywhere on the page. A pop-up will open. when it closes after 10 Seconds
  5. click anywhere again
  6. Go to your user profile and see that you have a new email on your account (remove the email to be able to reuse the POC)
Impact

ATO by adding a new email to victim accounts.

What is the current bug behavior?

test case titles are used directly in the header of test case detail pages

What is the expected correct behavior?

The title should not render as HTML

Output of checks

This bug happens on GitLab.com

Impact

ATO by adding a new email to victim accounts.

Attachments

How To Reproduce

Please add reproducibility information to this section:

Edited by Katherine Wu