GHSA-6VXV-WG6J-5QWP

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
Details

Summary

Gogs renders Jupyter notebook files (.ipynb) using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities.

Details

Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:

https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47

The latest version of jsvine/notebookjs is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.

PoC

  1. Create a new repository
  2. Create a file inside the repository named xss.ipynb and give it the following content:
{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}

image

  1. Save the file and view the file in Gogs. Notice that the XSS popup triggers:

image

Impact

Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.

Severity
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nGogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.\n\n### Details\n\nGogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:\n\nhttps://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47\n\nThe latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.\n\n### PoC\n\n1. Create a new repository\n2. Create a file inside the repository named `xss.ipynb` and give it the following content:\n\n```json\n{\"cells\": [{\"cell_type\": \"markdown\", \"metadata\": {}, \"source\": [\"\u003cimg src=x onerror=\\\"alert(origin)\\\"\u003e\"]}], \"metadata\": {}, \"nbformat\": 4, \"nbformat_minor\": 2}\n```\n\n\u003cimg width=\"1054\" height=\"208\" alt=\"image\" src=\"https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de\" /\u003e\n\n3. Save the file and view the file in Gogs. Notice that the XSS popup triggers:\n\n\u003cimg width=\"1317\" height=\"407\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07\" /\u003e\n\n### Impact\n\nAny user with rights to create repositories can create XSS payloads that take over the victim\u0027s account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.",
  "id": "GHSA-6vxv-wg6j-5qwp",
  "modified": "2026-06-19T21:42:52Z",
  "published": "2026-06-19T21:42:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-6vxv-wg6j-5qwp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: XSS in .ipynb files renderer due to outdated notebookjs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.