The vulnerability resides in the client‑side rendering of Jupyter notebook (.ipynb) files in Gogs. When a markdown cell is processed by the marked() library on the client without sanitization, links that contain dangerous schemes such as javascript: are regenerated and left in the output. A user who opens the notebook and clicks one of these links executes arbitrary JavaScript in the browser, running in the same origin as the Gogs instance. This stored Cross‑Site Scripting flaw can lead to theft of session cookies, defacement of the user interface, or the execution of benign actions on behalf of the victim.

Gogs is the vendor, and the flaw is present in all public releases prior to version 0.14.3, as the commit that fixed the issue was merged into 0.14.3. Based on the description, it is inferred that any deployed Gogs instance running 0.14.2 or earlier is vulnerable. The issue applies to every operating system that runs Gogs, as the development of the vulnerability is independent of the underlying platform.

The CVSS score of 8.9 classifies the flaw as High severity. The EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog, so no current evidence of widespread exploitation is reported. The likely attack vector involves an attacker embedding a malicious .ipynb file into a repository; based on the description, it is inferred that the attacker must have write access to a repository that will be viewed by a target. Once the file is stored, any user who opens it and clicks the link can trigger the payload, without requiring administrative privileges. Consequently, this SSTX vulnerability remains a significant risk for environments where users can push or modify notebooks for public or internal viewing.