DOM-Based XSS Vulnerability in Gogs Git Service by Gogs
CVE-2026-26276

7.3HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
5 March 2026

What is CVE-2026-26276?

Gogs is an open-source self-hosted Git service that, prior to version 0.14.2, was susceptible to a DOM-Based Cross-Site Scripting (XSS) attack. An attacker could exploit this vulnerability by storing an HTML/JavaScript payload in a repository's Milestone name. When another user attempted to create a new issue and selected this Milestone, the malicious script would execute in the context of the user's browser. This flaw has been addressed and patched in Gogs version 0.14.2, reinforcing the importance of regularly updating and securing software.

Affected Version(s)

gogs < 0.14.2

References

https://github.com/gogs/gogs/security/advisories/GHSA-vgj...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8178
x_refsource_MISC
https://github.com/gogs/gogs/releases/tag/v0.14.2
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.