Stored Cross-Site Scripting Vulnerability in Gogs Open Source Git Service
CVE-2026-26022
8.7HIGH
What is CVE-2026-26022?
Gogs, a self-hosted Git service, has a vulnerability in its comment and issue description features that permits stored cross-site scripting (XSS). This occurs due to the application's HTML sanitizer allowing data: URI schemes, which permits authenticated users to inject malicious JavaScript. This security flaw has been rectified in version 0.14.2, emphasizing the importance of keeping the application upgraded to mitigate potential risks associated with unsafe user-generated content.
Affected Version(s)
gogs < 0.14.2