CVE-2026-26022
Gogs: Stored XSS via data URI in issue comments
CVSS Score
8.7
EPSS Score
0.0%
EPSS Percentile
0th
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
| CWE | CWE-79 |
| Vendor | gogs |
| Product | gogs |
| Published | Mar 5, 2026 |
| Last Updated | Mar 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for gogs gogs
Be the first to know when new high vulnerabilities affecting gogs gogs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
gogs / gogs
< 0.14.2