Primary

Context

Gogs Stored Cross-Site Scripting Vulnerability in Branch and Wiki Views

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Gogs, an open-source self-hosted Git service, in versions prior to 0.14.2. This issue arises from unsafe template rendering that combines user input with a permissive sanitizer handling of data URLs, allowing for script execution on affected pages. The vulnerability is present in the branch and wiki views, where author and committer names are rendered without proper escaping, enabling the injection of malicious scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected branch or wiki page. This could lead to session hijacking, theft of CSRF tokens, or unauthorized actions on behalf of the user.

Remediation

Users can upgrade to Gogs version 0.14.2 or later, where this vulnerability has been patched.

Added: Mar 5, 2026, 7:29 PM

Updated: Mar 5, 2026, 7:49 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.7

remediation

7.7

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.7

remediation

7.7

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gogs Stored Cross-Site Scripting Vulnerability in Branch and Wiki Views

Vulnerability

Impact

Remediation

Affected Products

Gogs

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating