CVE-2026-26195 — Cross-site Scripting in Gogs

CWE-79 — Cross-site Scripting21 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 89.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs Gogs.io Gogs

Timeline

PublishedMar 5

Latest updateMar 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.2

▶Gogogs.io/gogs0.13.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs: Stored XSS in branch and wiki views through author and committer names in gogs.io/gogs↗2026-03-10

▶

GHSA

Gogs: Stored XSS in branch and wiki views through author and committer names↗2026-03-05

▶

OSV

Gogs: Stored XSS in branch and wiki views through author and committer names↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶