๐Ÿ” CVE Alert

CVE-2026-59102

MEDIUM 5.4

Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.

CWE CWE-79
Vendor forgejo
Product forgejo
Published Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for forgejo forgejo

Be the first to know when new medium vulnerabilities affecting forgejo forgejo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

forgejo / forgejo
0 < 15.0.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
codeberg.org: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md github.com: https://github.com/geo-chen/oss/blob/main/forgejo.md codeberg.org: https://codeberg.org/forgejo/forgejo/pulls/13002 vulncheck.com: https://www.vulncheck.com/advisories/forgejo-stored-xss-via-actions-run-full-name-rendering

Credits

George Chen