GHSA-VGVF-M4FW-938J

Vulnerability from github – Published: 2026-03-05 19:48 – Updated: 2026-03-05 22:28
VLAI?
Summary
Gogs: Stored XSS in branch and wiki views through author and committer names
Details

Summary

Stored XSS is still possible through unsafe template rendering that mixes user input with safe() plus permissive sanitizer handling of data URLs.

Details

safe() still turns off escaping: - internal/template/template.go - func safe(raw string) template.HTML { return template.HTML(raw) }

Branch pages still render committer names using safe(): - templates/repo/branches/overview.tmpl - templates/repo/branches/all.tmpl - templates/repo/wiki/view.tmpl

The locale still injects a raw second argument: conf/locale/locale_en-US.ini (branches.updated_by = updated %[1]s by %[2]s)

Impact

An attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.

Recommended Fix

  • Untrusted arguments should be escaped before being used in translations.
  • Data URLs should be limited or blocked in the sanitizer.

Remediation

A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.13.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T19:48:33Z",
    "nvd_published_at": "2026-03-05T19:16:03Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nStored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs.\n\n### Details\n\n`safe()` still turns off escaping:\n- internal/template/template.go\n- `func safe(raw string) template.HTML { return template.HTML(raw) }`\n\nBranch pages still render committer names using `safe()`:\n- templates/repo/branches/overview.tmpl\n- templates/repo/branches/all.tmpl\n- templates/repo/wiki/view.tmpl\n\nThe locale still injects a raw second argument: conf/locale/locale_en-US.ini (`branches.updated_by = updated %[1]s by %[2]s`)\n\n### Impact\n\nAn attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.\n\n### Recommended Fix\n\n- Untrusted arguments should be escaped before being used in translations.\n- Data URLs should be limited or blocked in the sanitizer.\n\n### Remediation\nA fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.",
  "id": "GHSA-vgvf-m4fw-938j",
  "modified": "2026-03-05T22:28:44Z",
  "published": "2026-03-05T19:48:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8176"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: Stored XSS in branch and wiki views through author and committer names"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.