cbcvebase.

Gogs.Io Gogs vulnerabilities

73 known vulnerabilities affecting gogs.io/gogs.

Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1

Vulnerabilities

Page 4 of 4
CVE-2026-26022P4HIGH≥ 0, < 0.14.22026-03-05
CVE-2026-26022 [HIGH] CWE-79 Gogs: Stored XSS via data URI in issue comments Gogs: Stored XSS via data URI in issue comments ### Summary A Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. ### Details The vulnerability is located in `internal/markup/sanitizer.go`. The applicati
ghsaosv
CVE-2026-26196P4MEDIUM≥ 0, ≤ 0.13.32026-03-05
CVE-2026-26196 [MEDIUM] CWE-598 Gogs: Access tokens get exposed through URL params in API requests Gogs: Access tokens get exposed through URL params in API requests ### Summary The Gogs API still accepts tokens in URL parameters such as `token` and `access_token`, which can leak through logs, browser history, and referrers. ### Details A static review shows that the API still checks tokens in the URL query before looking at headers: - internal/context/auth.go reads `c.Query("token")` - int
ghsaosv
CVE-2026-26276P4HIGH≥ 0, ≤ 0.13.32026-03-05
CVE-2026-26276 [HIGH] CWE-79 Gogs: DOM-based XSS via milestone selection Gogs: DOM-based XSS via milestone selection # Summary It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s **Milestone name**, and when another user selects that Milestone on the **New Issue** page (`/issues/new`), a **DOM-Based XSS** is triggered. # Impact * Theft of information accessible in the victim’s session. * Extraction of CSRF tokens and submission of st
ghsaosv
CVE-2026-52807P4HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52807 [HIGH] CWE-79 Gogs has DOM-based XSS via Milestone Name on New Issue Page Gogs has DOM-based XSS via Milestone Name on New Issue Page ### Summary The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown,
ghsa
CVE-2018-15178P4MEDIUM≥ 0, < 0.12.02021-06-29
CVE-2018-15178 [MEDIUM] CWE-601 Open Redirect Open Redirect Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
ghsaosv
CVE-2022-1464P4MEDIUM≥ 0, < 0.12.72022-05-24
CVE-2022-1464 [MEDIUM] CWE-79 Cross-site Scripting in Gogs Cross-site Scripting in Gogs ### Impact The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected. ### Patches Correctly setting the Content Security Policy for the serving endpoint. Users shou
ghsaosv
CVE-2022-31038P4MEDIUM≥ 0, < 0.12.92022-06-08
CVE-2022-31038 [MEDIUM] CWE-79 Cross-site Scripting vulnerability in repository issue list in Gogs Cross-site Scripting vulnerability in repository issue list in Gogs ### Impact `DisplayName` allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list. ### Patches `DisplayName` is sanitized before being displayed. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds Check and update the existing users' display names t
ghsaosv
CVE-2018-17031P4MEDIUM≥ 0, < 0.12.02022-05-14
CVE-2018-17031 [MEDIUM] CWE-79 Gogs XSS Vulnerability Gogs XSS Vulnerability In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.
ghsaosv
CVE-2025-64719P4MEDIUM≥ 0, < 0.14.32026-06-22
CVE-2025-64719 [MEDIUM] CWE-20 Gogs has a Denial of Service in repository/wiki file listing web pages Gogs has a Denial of Service in repository/wiki file listing web pages ### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. ### Details The issue is present in file `intern
ghsa
CVE-2014-8683P4MEDIUM≥ 0.3.1, < 0.5.82021-06-29
CVE-2014-8683 [MEDIUM] CWE-79 Cross-site Scripting in Gogs Cross-site Scripting in Gogs Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.
ghsaosv
CVE-2026-52796P4LOW≥ 0, < 0.14.32026-06-22
CVE-2026-52796 [LOW] CWE-1336 Gogs has DoS in rendering issue index pattern Gogs has DoS in rendering issue index pattern ### Summary Special template of issue index pattern may cause panic. ### Details in internal/markup/markup.go ```go link = fmt.Sprintf(`%s`, com.Expand(metas["format"], metas), m) ``` Issue index pattern is rendered to link with `com.Expand`. However, `com.Expand` is not safe. ```go i = strings.Index(template, "}") if s, ok := match[template[:i]]; ok { ``` when `{` is
ghsa
CVE-2026-25120P4MEDIUM≥ 0, < 0.14.02026-02-17
CVE-2026-25120 [MEDIUM] CWE-639 Gogs Allows Cross-Repository Comment Deletion via DeleteComment Gogs Allows Cross-Repository Comment Deletion via DeleteComment # IDOR: Cross-Repository Comment Deletion via DeleteComment ## Summary The `POST /:owner/:repo/issues/comments/:id/delete` endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypa
ghsaosv
CVE-2025-65852MEDIUM≥ 0, < 0.13.42026-02-06
CVE-2025-65852 [MEDIUM] CWE-284 Gogs has authorization bypass in repository deletion API Gogs has authorization bypass in repository deletion API ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read a
ghsaosv
Gogs.Io Gogs vulnerabilities | cvebase