GHSA-VCM5-GVMP-78MP
Vulnerability from github – Published: 2026-06-23 17:02 – Updated: 2026-06-23 17:02Summary
The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.
Details
GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.
In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).
Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.
PoC
poc.zip Please extract the uploaded compressed file before proceeding
- docker compose up --build
Impact
- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.
- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52807"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T17:02:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI\u0027s `preserveHTML` behavior.\n\n### Details\nGHSA-vgjm-2cpf-4g7c was patched by adding `| Sanitize` (bluemonday HTML tag stripping) to milestone name rendering in `view_content.tmpl`. However, the same milestone dropdown exists in `new_form.tmpl` and was **not** patched.\n\nIn `new_form.tmpl`, milestone names are rendered with Go\u0027s default auto-escaping (`{{.Name}}`), which converts `\u003c` to `\u0026lt;` etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the **decoded** original payload (e.g., `\u003cimg src=x onerror=alert(1)\u003e`).\n\nSemantic UI 2.4.2\u0027s dropdown component has `preserveHTML: true` as the default setting. When a user selects a dropdown item, the internal `set.text()` method calls jQuery\u0027s `.html()` with the item\u0027s text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26508268/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker compose up --build\n\n\u003cimg width=\"1325\" height=\"315\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-06 \u110b\u1169\u1112\u116e 9 34 05\" src=\"https://github.com/user-attachments/assets/87895cce-5b8e-4320-829a-87a5890cc0d9\" /\u003e\n\n### Impact\n- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.\n- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.",
"id": "GHSA-vcm5-gvmp-78mp",
"modified": "2026-06-23T17:02:52Z",
"published": "2026-06-23T17:02:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8325"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Gogs has DOM-based XSS via Milestone Name on New Issue Page"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.