Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

Gogs, an open‑source self‑hosted Git service, contains a stored cross‑site scripting flaw that arises from unsafe template rendering. The vulnerability allows an attacker to inject malicious JavaScript into branch and wiki pages by forging author or committer names in a repository commit. When a user views those pages the script executes in the context of their browser.

Affected Systems

All installations of Gogs older than version 0.14.2 are affected. The fix was introduced in release 0.14.2; earlier releases remain vulnerable. No specific platform or OS constraints are noted beyond the requirement that the application be running the vulnerable Gogs build.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium severity flaw, and the EPSS score is below 1 %, suggesting a low likelihood of exploitation at the time of assessment. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires write access to a repository to set a malicious author or committer name; the script then runs in the context of users accessing the affected branch or wiki page.

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.2 or later.
  • Restart the Gogs application to ensure the update is applied.
  • Restrict commit permissions to trusted users, preventing malicious author or committer names from being inserted.

Generated by OpenCVE AI on April 18, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgvf-m4fw-938j Gogs: Stored XSS in branch and wiki views through author and committer names
History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Vendors & Products Gogs
Gogs gogs
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
Title Gogs: Stored XSS in branch and wiki views through author and committer names
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:08:49.479Z

Reserved: 2026-02-11T19:56:24.813Z

Link: CVE-2026-26195

cve-icon Vulnrichment

Updated: 2026-03-06T18:08:45.608Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:03.900

Modified: 2026-03-06T13:40:19.513

Link: CVE-2026-26195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses