CVE-2026-26276 — Cross-site Scripting in Gogs

CWE-79 — Cross-site Scripting21 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 90.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs Gogs.io Gogs

Timeline

PublishedMar 5

Latest updateMar 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.2

▶Gogogs.io/gogs0.13.3

🔴Vulnerability Details

OSV

Gogs: DOM-based XSS via milestone selection in gogs.io/gogs↗2026-03-10

▶

GHSA

Gogs: DOM-based XSS via milestone selection↗2026-03-05

▶

OSV

Gogs: DOM-based XSS via milestone selection↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶