Stored Cross-Site Scripting in Gitea 3D File Viewer
CVE-2026-28737

8.7HIGH

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-28737?

Certain versions of Gitea, specifically those prior to 1.26.0, are susceptible to a stored cross-site scripting (XSS) vulnerability that can be exploited through the extensionsRequired field in glTF files when rendered by the 3D file viewer. This flaw may allow an attacker to inject malicious scripts into the web application, potentially compromising user data and system integrity. It is crucial for users of affected versions to apply the necessary updates as outlined in the vendor's security advisories to mitigate this vulnerability.

Affected Version(s)

Gitea Open Source Git Server 1.25.0 < 1.26.0

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

yonatan-pl
.