Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via data: URI scheme
Action: Patch
AI Analysis

Impact

Prior to version 0.14.2, Gogs permits authenticated users to insert arbitrary JavaScript in issue comments or issue descriptions via data: URI links, creating a stored cross‑site scripting flaw (CWE‑79: Improper Neutralization of Input During Web Page Generation) that permits client‑side script execution. Based on this, it is inferred that an attacker could potentially compromise data confidentiality, hijack sessions, or carry out similar client‑side attacks.

Affected Systems

Self‑hosted Gogs installations running any version older than 0.14.2 are vulnerable; the issue is limited to users who can edit or create issue comments and descriptions.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is below 1%, suggesting low current exploitation likelihood, and it is not yet listed in the CISA KEV catalog. Attack requires authentication and the ability to post or edit issue comments, so it is primarily an insider or compromised‑user threat rather than a remote unauthenticated vector.

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.2 or later, which removes data: URI support from the sanitizer.
  • If an immediate upgrade is not feasible, restrict comment and issue description editing to trusted users or temporarily disable the creation of new issues and comments until the patch can be applied.
  • Review the sanitizer configuration to ensure data: URI schemes are blocked, and validate that the changes persist after any subsequent Gogs updates.

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xrcr-gmf5-2r8j Gogs: Stored XSS via data URI in issue comments
History

Sat, 07 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Vendors & Products Gogs
Gogs gogs

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Title Gogs: Stored XSS via data URI in issue comments
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T03:55:24.998Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26022

cve-icon Vulnrichment

Updated: 2026-03-06T18:12:37.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:03.497

Modified: 2026-03-06T13:55:54.890

Link: CVE-2026-26022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses