Find a vulnerability

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-VCM5-GVMP-78MP

Vulnerability from github – Published: 2026-06-23 17:02 – Updated: 2026-06-23 17:02

Summary

Gogs has DOM-based XSS via Milestone Name on New Issue Page

Details

Summary

The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.

Details

GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.

In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).

Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.

PoC

poc.zip Please extract the uploaded compressed file before proceeding

docker compose up --build

스크린샷 2026-04-06 오후 9 34 05

Impact

Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.
Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:02:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI\u0027s `preserveHTML` behavior.\n\n### Details\nGHSA-vgjm-2cpf-4g7c was patched by adding `| Sanitize` (bluemonday HTML tag stripping) to milestone name rendering in `view_content.tmpl`. However, the same milestone dropdown exists in `new_form.tmpl` and was **not** patched.\n\nIn `new_form.tmpl`, milestone names are rendered with Go\u0027s default auto-escaping (`{{.Name}}`), which converts `\u003c` to `\u0026lt;` etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the **decoded** original payload (e.g., `\u003cimg src=x onerror=alert(1)\u003e`).\n\nSemantic UI 2.4.2\u0027s dropdown component has `preserveHTML: true` as the default setting. When a user selects a dropdown item, the internal `set.text()` method calls jQuery\u0027s `.html()` with the item\u0027s text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26508268/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker compose up --build\n\n\u003cimg width=\"1325\" height=\"315\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-06 \u110b\u1169\u1112\u116e 9 34 05\" src=\"https://github.com/user-attachments/assets/87895cce-5b8e-4320-829a-87a5890cc0d9\" /\u003e\n\n### Impact\n- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.\n- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.",
  "id": "GHSA-vcm5-gvmp-78mp",
  "modified": "2026-06-23T17:02:52Z",
  "published": "2026-06-23T17:02:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Gogs has DOM-based XSS via Milestone Name on New Issue Page"
}