Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.

INFO

Published Date :

2026-03-05T18:34:12.843Z

Last Modified :

2026-03-07T04:55:31.969Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26022 vulnerability.

Vendors Products
Gogs
  • Gogs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26022.

URL Resource
https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291 cve-icon cve-icon
https://github.com/gogs/gogs/pull/8174 cve-icon cve-icon
https://github.com/gogs/gogs/releases/tag/v0.14.2 cve-icon cve-icon
https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact