Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to &lt; etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Milestone names are stored in the database and rendered in the New Issue page template using Go’s auto‑escaping. When the page is displayed, the browser creates a DOM element containing the milestone name. Semantic UI’s dropdown component, which defaults to preserveHTML:true, re‑parses that text as HTML and executes any injected script attached to event handlers. An attacker can therefore store a malicious payload in a milestone name and cause arbitrary JavaScript to run in the context of any user who opens the page and selects the milestone, potentially allowing session hijacking, credential theft, or defacement.

Affected Systems

The vulnerability affects the open‑source Gogs Git service, specifically versions prior to 0.14.3 (0.14.0 through 0.14.2). The affected product is the gogs:gogs implementation of the self‑hosted Git server.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, but the flaw can be abused if an attacker can control or influence milestone names. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires user interaction with the New Issue page and a functional Semantic UI front‑end. Because the victim’s browser renders the malicious payload, the impact is limited to the victim session and does not provide direct control over the server or other users. Nonetheless the ease of exploitation in a web UI poses a real risk for unintended script execution and cross‑site data theft.

Generated by OpenCVE AI on June 24, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gogs to version 0.14.3 or later, which removes the preserveHTML setting from the milestone dropdown template
  • If an update is not yet possible, modify the new_form.tmpl or the Semantic UI configuration to set preserveHTML to false so that the dropdown’s .html() call no longer re‑parses injected content
  • Delete or rename any milestone names that contain non‑alphanumeric characters or suspicious payloads before exposing the New Issue page to general users

Generated by OpenCVE AI on June 24, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vcm5-gvmp-78mp Gogs has DOM-based XSS via Milestone Name on New Issue Page
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to &lt; etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior. This vulnerability is fixed in 0.14.3.
Title Gogs: DOM-based XSS via Milestone Name on New Issue Page
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:25:49.230Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52807

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')