CVE-2026-26276 - Vulnerability Details

- Gogs: DOM-based XSS via milestone selection

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.

Published: 2026-03-05

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A DOM‑based XSS flaw in Gogs allows an attacker to embed an HTML or JavaScript payload into the title of a repository milestone. When another user selects that milestone on the New Issue page, the payload is injected into the page’s DOM and executes in the victim’s browser. The weakness is a classic unvalidated stored input reflected unsanitized content, identified as CWE‑79. The impact is that any authenticated or publicly accessible user who views the milestone can have arbitrary JavaScript run in their browser session, potentially leading to session hijacking, credential theft, or point‑of‑interest defacement.

Affected Systems

Gogs, versions older than 0.14.2. The issue was fixed in v0.14.2, so any deployment using v0.14.1 or earlier is affected.

Risk and Exploitability

The CVSS score of 7.3 places this vulnerability in the high‑severity range, though the EPSS score of less than 1% indicates a low probability of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to create a milestone with malicious content in a repository they can modify, after which any user who selects that milestone on the issue creation page is exposed to the injected JavaScript. Because the flaw requires only repository modification privileges, an internal user or an attacker who gains write access to the repository can trigger it. Despite the low exploitation probability, the potential for damaging session compromise warrants immediate remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gogs

affected

Version	Status	Constraints
`< 0.14.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Gogs

95%

Version	Status	Scheme	Platform
`[0,0.14.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gogs to version 0.14.2 or later, which removes the vulnerable code.
If an upgrade is not feasible, audit all milestone titles for disallowed characters and remove or replace any payloads containing <, >, or script tags.
Restrict milestone creation to users with admin or write permissions, and enforce an input whitelist that rejects HTML or script content.

Generated by OpenCVE AI on April 16, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vgjm-2cpf-4g7c	Gogs: DOM-based XSS via milestone selection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/gogs/gogs/pull/8178
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c

History

Fri, 06 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gogs Gogs gogs
CPEs		cpe:2.3:a:gogs:gogs::::::::
Vendors & Products		Gogs Gogs gogs

Thu, 05 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
Title		Gogs: DOM-based XSS via milestone selection
Weaknesses		CWE-79
References		https://github.com/gogs/gogs/pull/8178 https://github.com/gogs/gogs/releases/tag/v0.14.2 https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Gogs Gogs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-05T18:51:13.530Z

Updated: 2026-03-07T04:55:33.384Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26276

Vulnrichment

Updated: 2026-03-06T18:06:08.344Z

NVD

Status : Analyzed

Published: 2026-03-05T19:16:04.373

Modified: 2026-03-05T22:00:00.810

Link: CVE-2026-26276

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object