CVE-2025-47943 — Cross-site Scripting in Gogs Gogs

CWE-79 — Cross-site Scripting CWE-125 — Out-of-bounds Read5 documents4 sources

Severity

6.3MEDIUMNVD

GHSA8.8OSV8.8

EPSS

0.3%

top 51.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Gogs Gogs Gogs.io Gogs Gogs +3 more

Timeline

PublishedJun 24

Latest updateJul 28

Description

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:NExploitability: 2.1 | Impact: 4.2

Affected Packages6 packages

▶Gogogs.io/gogs< 0.13.3-0.20250608224432-110117b2e5e5

▶Gogithub.com/gogs_gogs< 0.13.3-0.20250608224432-110117b2e5e5

▶CVEListV5gogs/gogs0.14.0+dev

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

🔴Vulnerability Details

OSV

Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs↗2025-07-28

▶

OSV

Gogs XSS allowed by stored call in PDF renderer↗2025-06-26

▶

GHSA

Gogs XSS allowed by stored call in PDF renderer↗2025-06-26

▶

📋Vendor Advisories

Microsoft

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE when there is a large length in the zero DataOffset case.↗2022-12-13

▶