I found a Stored XSS in merge request pages.
The exploit is via the parameter
merge_request[source_branch] of the request to create a New Merge Request.
merge_request[source_branch]parameter's value to
Note: This behavior can be reproduced on all modern browsers.
The security impact is the same as any typical Stored XSS.