{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26022", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.555Z", "datePublished": "2026-03-05T18:34:12.843Z", "dateUpdated": "2026-03-10T03:55:24.998Z"}, "containers": {"cna": {"title": "Gogs: Stored XSS via data URI in issue comments", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j"}, {"name": "https://github.com/gogs/gogs/pull/8174", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8174"}, {"name": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:34:12.843Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2."}], "source": {"advisory": "GHSA-xrcr-gmf5-2r8j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26022"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T03:55:24.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26022", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:12:33.149813Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:12:37.361Z"}}], "cna": {"title": "Gogs: Stored XSS via data URI in issue comments", "source": {"advisory": "GHSA-xrcr-gmf5-2r8j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"status": "affected", "version": "< 0.14.2"}]}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j", "name": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gogs/gogs/pull/8174", "name": "https://github.com/gogs/gogs/pull/8174", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291", "name": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:34:12.843Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26022", "state": "PUBLISHED", "dateUpdated": "2026-03-10T03:55:24.998Z", "dateReserved": "2026-02-09T21:36:29.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T18:34:12.843Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9", "versionEndExcluding": "0.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2."}], "id": "CVE-2026-26022", "lastModified": "2026-03-06T13:55:54.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T19:16:03.497", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/gogs/gogs/pull/8174"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.14.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "gogs", "source": "cna", "vendor": "gogs"}, "product": "gogs", "vendor": "gogs"}], "analysis": {"en": {"generated_at": "2026-04-18T09:53:26.091487+00:00", "value": {"mitigation_remediation": ["Upgrade Gogs to version 0.14.2 or later, which removes data: URI support from the sanitizer.", "If an immediate upgrade is not feasible, restrict comment and issue description editing to trusted users or temporarily disable the creation of new issues and comments until the patch can be applied.", "Review the sanitizer configuration to ensure data: URI schemes are blocked, and validate that the changes persist after any subsequent Gogs updates."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via data: URI scheme"}, "threat_synthesis": {"affected_systems": "Self\u2011hosted Gogs installations running any version older than 0.14.2 are vulnerable; the issue is limited to users who can edit or create issue comments and descriptions.", "description_and_impact": "Prior to version 0.14.2, Gogs permits authenticated users to insert arbitrary JavaScript in issue comments or issue descriptions via data: URI links, creating a stored cross\u2011site scripting flaw (CWE\u201179: Improper Neutralization of Input During Web Page Generation) that permits client\u2011side script execution. Based on this, it is inferred that an attacker could potentially compromise data confidentiality, hijack sessions, or carry out similar client\u2011side attacks.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is below 1%, suggesting low current exploitation likelihood, and it is not yet listed in the CISA KEV catalog. Attack requires authentication and the ability to post or edit issue comments, so it is primarily an insider or compromised\u2011user threat rather than a remote unauthenticated vector."}}}}, "created": "2026-03-06T15:01:25.956697+00:00", "updated": "2026-04-18T10:00:10.333363+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}