{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26276", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.413Z", "datePublished": "2026-03-05T18:51:13.530Z", "dateUpdated": "2026-03-07T04:55:33.384Z"}, "containers": {"cna": {"title": "Gogs: DOM-based XSS via milestone selection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c"}, {"name": "https://github.com/gogs/gogs/pull/8178", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8178"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:51:13.530Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository\u2019s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2."}], "source": {"advisory": "GHSA-vgjm-2cpf-4g7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26276"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-07T04:55:33.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26276", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:06:04.673194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:06:08.344Z"}}], "cna": {"title": "Gogs: DOM-based XSS via milestone selection", "source": {"advisory": "GHSA-vgjm-2cpf-4g7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"status": "affected", "version": "< 0.14.2"}]}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c", "name": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gogs/gogs/pull/8178", "name": "https://github.com/gogs/gogs/pull/8178", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository\u2019s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:51:13.530Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26276", "state": "PUBLISHED", "dateUpdated": "2026-03-07T04:55:33.384Z", "dateReserved": "2026-02-12T17:10:53.413Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T18:51:13.530Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9", "versionEndExcluding": "0.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository\u2019s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2."}], "id": "CVE-2026-26276", "lastModified": "2026-03-05T22:00:00.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T19:16:04.373", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/gogs/gogs/pull/8178"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.14.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "gogs", "source": "cna", "vendor": "gogs"}, "product": "gogs", "vendor": "gogs"}], "analysis": {"en": {"generated_at": "2026-04-16T12:14:09.160209+00:00", "value": {"mitigation_remediation": ["Upgrade Gogs to version 0.14.2 or later, which removes the vulnerable code.", "If an upgrade is not feasible, audit all milestone titles for disallowed characters and remove or replace any payloads containing <, >, or script tags.", "Restrict milestone creation to users with admin or write permissions, and enforce an input whitelist that rejects HTML or script content."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Gogs, versions older than 0.14.2. The issue was fixed in v0.14.2, so any deployment using v0.14.1 or earlier is affected.", "description_and_impact": "A DOM\u2011based XSS flaw in Gogs allows an attacker to embed an HTML or JavaScript payload into the title of a repository milestone. When another user selects that milestone on the New Issue page, the payload is injected into the page\u2019s DOM and executes in the victim\u2019s browser. The weakness is a classic unvalidated stored input reflected unsanitized content, identified as CWE\u201179. The impact is that any authenticated or publicly accessible user who views the milestone can have arbitrary JavaScript run in their browser session, potentially leading to session hijacking, credential theft, or point\u2011of\u2011interest defacement.", "risk_and_exploitability": "The CVSS score of 7.3 places this vulnerability in the high\u2011severity range, though the EPSS score of less than 1% indicates a low probability of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to create a milestone with malicious content in a repository they can modify, after which any user who selects that milestone on the issue creation page is exposed to the injected JavaScript. Because the flaw requires only repository modification privileges, an internal user or an attacker who gains write access to the repository can trigger it. Despite the low exploitation probability, the potential for damaging session compromise warrants immediate remediation."}}}}, "created": "2026-03-06T15:01:21.227541+00:00", "updated": "2026-04-16T12:15:35.096474+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}