Skip to main content

Gogs CVE-2026-26022

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 security-advisories@github.com GHSA-xrcr-gmf5-2r8j
XSS Gogs Suse
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
PoC Detected
Mar 06, 2026 - 13:55 vuln.today
Public exploit code
Patch released
Mar 06, 2026 - 13:55 nvd
Patch available
CVE Published
Mar 05, 2026 - 19:16 nvd
HIGH 8.7

DescriptionGitHub Advisory

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.

AnalysisAI

Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Gogs instance
Exploit
Create issue or comment with data: URI link
Execution
User clicks malicious link
Impact
Execute arbitrary JavaScript in browser context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Gogs version prior to 0.14.2 with HTML sanitizer allowing data: URI schemes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.7 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Gogs instances in your environment and confirm versions below 0.14.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-26022 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy