Gogs.Io Gogs vulnerabilities
73 known vulnerabilities affecting gogs.io/gogs.
Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1
Vulnerabilities
Page 4 of 4
CVE-2026-26022P4HIGH≥ 0, < 0.14.22026-03-05
CVE-2026-26022 [HIGH] CWE-79 Gogs: Stored XSS via data URI in issue comments
Gogs: Stored XSS via data URI in issue comments
### Summary
A Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links.
### Details
The vulnerability is located in `internal/markup/sanitizer.go`. The applicati
ghsaosv
CVE-2026-26196P4MEDIUM≥ 0, ≤ 0.13.32026-03-05
CVE-2026-26196 [MEDIUM] CWE-598 Gogs: Access tokens get exposed through URL params in API requests
Gogs: Access tokens get exposed through URL params in API requests
### Summary
The Gogs API still accepts tokens in URL parameters such as `token` and `access_token`, which can leak through logs, browser history, and referrers.
### Details
A static review shows that the API still checks tokens in the URL query before looking at headers:
- internal/context/auth.go reads `c.Query("token")`
- int
ghsaosv
CVE-2026-26276P4HIGH≥ 0, ≤ 0.13.32026-03-05
CVE-2026-26276 [HIGH] CWE-79 Gogs: DOM-based XSS via milestone selection
Gogs: DOM-based XSS via milestone selection
# Summary
It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s **Milestone name**, and when another user selects that Milestone on the **New Issue** page (`/issues/new`), a **DOM-Based XSS** is triggered.
# Impact
* Theft of information accessible in the victim’s session.
* Extraction of CSRF tokens and submission of st
ghsaosv
CVE-2026-52807P4HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52807 [HIGH] CWE-79 Gogs has DOM-based XSS via Milestone Name on New Issue Page
Gogs has DOM-based XSS via Milestone Name on New Issue Page
### Summary
The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown,
ghsa
CVE-2018-15178P4MEDIUM≥ 0, < 0.12.02021-06-29
CVE-2018-15178 [MEDIUM] CWE-601 Open Redirect
Open Redirect
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
ghsaosv
CVE-2022-1464P4MEDIUM≥ 0, < 0.12.72022-05-24
CVE-2022-1464 [MEDIUM] CWE-79 Cross-site Scripting in Gogs
Cross-site Scripting in Gogs
### Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations [allow uploading SVG (`text/xml`) files as issue attachments (non-default)](https://github.com/gogs/gogs/blob/e51e01683408e10b3dcd2ace65e259ca7f0fd61b/conf/app.ini#L283-L284) are affected.
### Patches
Correctly setting the Content Security Policy for the serving endpoint. Users shou
ghsaosv
CVE-2022-31038P4MEDIUM≥ 0, < 0.12.92022-06-08
CVE-2022-31038 [MEDIUM] CWE-79 Cross-site Scripting vulnerability in repository issue list in Gogs
Cross-site Scripting vulnerability in repository issue list in Gogs
### Impact
`DisplayName` allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list.
### Patches
`DisplayName` is sanitized before being displayed. Users should upgrade to 0.12.9 or the latest 0.13.0+dev.
### Workarounds
Check and update the existing users' display names t
ghsaosv
CVE-2018-17031P4MEDIUM≥ 0, < 0.12.02022-05-14
CVE-2018-17031 [MEDIUM] CWE-79 Gogs XSS Vulnerability
Gogs XSS Vulnerability
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.
ghsaosv
CVE-2025-64719P4MEDIUM≥ 0, < 0.14.32026-06-22
CVE-2025-64719 [MEDIUM] CWE-20 Gogs has a Denial of Service in repository/wiki file listing web pages
Gogs has a Denial of Service in repository/wiki file listing web pages
### Summary
A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki.
### Details
The issue is present in file `intern
ghsa
CVE-2014-8683P4MEDIUM≥ 0.3.1, < 0.5.82021-06-29
CVE-2014-8683 [MEDIUM] CWE-79 Cross-site Scripting in Gogs
Cross-site Scripting in Gogs
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.
ghsaosv
CVE-2026-52796P4LOW≥ 0, < 0.14.32026-06-22
CVE-2026-52796 [LOW] CWE-1336 Gogs has DoS in rendering issue index pattern
Gogs has DoS in rendering issue index pattern
### Summary
Special template of issue index pattern may cause panic.
### Details
in internal/markup/markup.go
```go
link = fmt.Sprintf(`%s`, com.Expand(metas["format"], metas), m)
```
Issue index pattern is rendered to link with `com.Expand`.
However, `com.Expand` is not safe.
```go
i = strings.Index(template, "}")
if s, ok := match[template[:i]]; ok {
```
when `{` is
ghsa
CVE-2026-25120P4MEDIUM≥ 0, < 0.14.02026-02-17
CVE-2026-25120 [MEDIUM] CWE-639 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
Gogs Allows Cross-Repository Comment Deletion via DeleteComment
# IDOR: Cross-Repository Comment Deletion via DeleteComment
## Summary
The `POST /:owner/:repo/issues/comments/:id/delete` endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypa
ghsaosv
CVE-2025-65852MEDIUM≥ 0, < 0.13.42026-02-06
CVE-2025-65852 [MEDIUM] CWE-284 Gogs has authorization bypass in repository deletion API
Gogs has authorization bypass in repository deletion API
### Summary
The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.
This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read a
ghsaosv
← Previous4 / 4