What is the CVSS score of CVE-2026-52796?

CVE-2026-52796 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L.

Is there a patch available for CVE-2026-52796?

Yes, a patch is available for CVE-2026-52796. Update the affected software to the latest version immediately.

Gogs CVE-2026-52796

Q: Which versions of Gogs are affected by CVE-2026-52796?

{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index, making all repository pages that render issue references permanently…. A patch is available.

LOW

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-06-22 https://github.com/gogs/gogs

GHSA-4j89-2c4f-44c6

Ssti Information Disclosure

3.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.5 LOW

AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

vuln.today AI

4.3 MEDIUM

Low privilege (repo admin) required to set format; once set, any page load triggers the panic with no additional user interaction needed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

Jun 23, 2026 - 00:13 vuln.today

Analysis Generated

Jun 23, 2026 - 00:13 vuln.today

DescriptionGitHub Advisory

Summary

Special template of issue index pattern may cause panic.

Details

in internal/markup/markup.go

link = fmt.Sprintf(`<a href="%s">%s</a>`, com.Expand(metas["format"], metas), m)

Issue index pattern is rendered to link with com.Expand.

However, com.Expand is not safe.

i = strings.Index(template, "}")
if s, ok := match[template[:i]]; ok {

when { is found but } not found, i comes to 1, template[:-1] will be called, and then panicked

!image

finally, all pages than contains issue index are unavailable.

PoC

set issue index pattern as follow

!image

add a commit which point to an issue in its msg

!image

using #1 above

Impact

DoS that cause part of pages of the specify repo unavailable.

AnalysisAI

{ placeholder, the third-party com.Expand() call in internal/markup/markup.go panics due to a negative slice index, making all repository pages that render issue references permanently unavailable until the configuration is corrected. No public exploit beyond the PoC included in the advisory is identified at time of analysis; this is not in CISA KEV.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as repo admin

Delivery

Set malformed external tracker format string with unclosed '{'

Exploit

Push or reference a commit containing an issue index (e.g., #1)

Execution

Any page load rendering issue references triggers com.Expand() panic

Impact

Affected repo pages return errors until config is corrected

Access

Authenticate as repo admin

Delivery

Set malformed external tracker format string with unclosed '{'

Exploit

Push or reference a commit containing an issue index (e.g., #1)

Execution

Any page load rendering issue references triggers com.Expand() panic

Impact

Affected repo pages return errors until config is corrected

Vulnerability AssessmentAI

Exploitation	Exploitation requires two conditions: (1) the attacker must have privileges to configure the repository's external issue tracker settings - typically repository owner or admin role - allowing them to set a malformed `format` string with an unclosed `{` placeholder; (2) any user (including the attacker) must subsequently trigger a page render that processes issue index references, such as viewing commit history or repository pages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The official CVSS 3.1 score is 3.5 (Low) with vector AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L, reflecting limited availability impact scoped to a single repository. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A repository owner or admin on a Gogs instance running <= 0.14.2 sets the external issue tracker URL format to a malformed template such as `https://tracker.example.com/{user}/{repo}/{` (with an unclosed brace). Any subsequent commit message or page render that includes an issue reference (e.g., `#1`) triggers `com.Expand()` to panic, crashing the request goroutine. …
Remediation	Upgrade Gogs to version 0.14.3, which replaces the unsafe `com.Expand()` call with a custom `expand()` function using `strings.NewReplacer` that handles malformed templates without panicking (patch PR #8312, commit 0529d95fc39f2b6d2997b19a2a12e24522684722). … Detailed patch versions, workarounds, and compensating controls in full report.