Stored Cross-Site Scripting in Gitea 3D File Viewer
CVE-2026-28737
8.7HIGH
What is CVE-2026-28737?
Certain versions of Gitea, specifically those prior to 1.26.0, are susceptible to a stored cross-site scripting (XSS) vulnerability that can be exploited through the extensionsRequired field in glTF files when rendered by the 3D file viewer. This flaw may allow an attacker to inject malicious scripts into the web application, potentially compromising user data and system integrity. It is crucial for users of affected versions to apply the necessary updates as outlined in the vendor's security advisories to mitigate this vulnerability.
Affected Version(s)
Gitea Open Source Git Server 1.25.0 < 1.26.0
