For a GitLab bug, this one is nice and simple, stored XSS in the “default branch name” field. For a group you can setup what the group’s default branch name should be for any new repositories created. Then when creating a new repository GitLab provides code to be executed that will initalize your repository, this code will reflect the default branch name without any sanitization to whoever is viewing the page.

Its a bit surprising this XSS wasn’t discovered sooner because it is rather straight forward, though in fairness I do believe this feature is relatively new (maybe a year?) and it is a bit of an unseen location.