Stored Cross-Site Scripting Vulnerability in Gogs Open Source Git Service
CVE-2026-26022

8.7HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
5 March 2026

What is CVE-2026-26022?

Gogs, a self-hosted Git service, has a vulnerability in its comment and issue description features that permits stored cross-site scripting (XSS). This occurs due to the application's HTML sanitizer allowing data: URI schemes, which permits authenticated users to inject malicious JavaScript. This security flaw has been rectified in version 0.14.2, emphasizing the importance of keeping the application upgraded to mitigate potential risks associated with unsafe user-generated content.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

gogs < 0.14.2

References

https://github.com/gogs/gogs/security/advisories/GHSA-xrc...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8174
x_refsource_MISC
https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.