GHSA-XRCR-GMF5-2R8J
Vulnerability from github – Published: 2026-03-05 19:26 – Updated: 2026-03-05 22:28Summary
A Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links.
Details
The vulnerability is located in internal/markup/sanitizer.go. The application uses the bluemonday HTML sanitizer but explicitly weakens the security policy by allowing the data URL scheme:
// internal/markup/sanitizer.go
func NewSanitizer() {
sanitizer.init.Do(func() {
// ...
// Data URLs
sanitizer.policy.AllowURLSchemes("data")
// ...
})
}
While the Markdown renderer rewrites relative links (mitigating standard Markdown [link](data:...) attacks), Gogs supports Raw HTML input. Raw HTML anchor tags bypass the Markdown parser's link rewriting and are processed directly by the sanitizer. Since the sanitizer is configured to allow data: URIs, payloads like <a href="data:text/html..."> are rendered as-is.
PoC
- Create a file named
exploit.mdin a repository. - Add the following content (Raw HTML):
html <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click me for XSS</a> - Commit and push the file.
- Navigate to the file in the Gogs web interface.
- Click the "Click me for XSS" link.
- Result: An alert box with "XSS" appears, executing the JavaScript payload.
Impact
This is a Stored XSS vulnerability. Any user who views the malicious comment and clicks the link will execute the attacker-supplied JavaScript in their browser context. This allows attackers to: * Steal authentication cookies and session tokens. * Perform arbitrary actions on behalf of the victim (e.g., modifying repositories, adding collaborators). * Redirect users to malicious sites.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.14.1"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26022"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T19:26:02Z",
"nvd_published_at": "2026-03-05T19:16:03Z",
"severity": "HIGH"
},
"details": "### Summary\nA Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application\u0027s HTML sanitizer explicitly allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links.\n\n### Details\nThe vulnerability is located in `internal/markup/sanitizer.go`. The application uses the `bluemonday` HTML sanitizer but explicitly weakens the security policy by allowing the `data` URL scheme:\n\n```go\n// internal/markup/sanitizer.go\nfunc NewSanitizer() {\n sanitizer.init.Do(func() {\n // ...\n // Data URLs\n sanitizer.policy.AllowURLSchemes(\"data\")\n // ...\n })\n}\n```\n\nWhile the Markdown renderer rewrites relative links (mitigating standard Markdown `[link](data:...)` attacks), Gogs supports **Raw HTML** input. Raw HTML anchor tags bypass the Markdown parser\u0027s link rewriting and are processed directly by the sanitizer. Since the sanitizer is configured to allow `data:` URIs, payloads like `\u003ca href=\"data:text/html...\"\u003e` are rendered as-is.\n\n### PoC\n1. Create a file named `exploit.md` in a repository.\n2. Add the following content (Raw HTML):\n ```html\n \u003ca href=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=\"\u003eClick me for XSS\u003c/a\u003e\n ```\n3. Commit and push the file.\n4. Navigate to the file in the Gogs web interface.\n5. Click the \"Click me for XSS\" link.\n6. **Result:** An alert box with \"XSS\" appears, executing the JavaScript payload.\n\n### Impact\nThis is a **Stored XSS** vulnerability. Any user who views the malicious comment and clicks the link will execute the attacker-supplied JavaScript in their browser context. This allows attackers to:\n* Steal authentication cookies and session tokens.\n* Perform arbitrary actions on behalf of the victim (e.g., modifying repositories, adding collaborators).\n* Redirect users to malicious sites.",
"id": "GHSA-xrcr-gmf5-2r8j",
"modified": "2026-03-05T22:28:35Z",
"published": "2026-03-05T19:26:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26022"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8174"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gogs: Stored XSS via data URI in issue comments"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.