HTML/JavaScript Injection Vulnerability in Gogs Git Service
CVE-2026-52807

4.8MEDIUM

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52807?

A vulnerability exists in Gogs, an open source self-hosted Git service, where milestone names are rendered without adequate protection against HTML injection. Using the default settings of Semantic UI's dropdown component, an attacker can store malicious HTML/JavaScript payloads in milestone names. This payload is triggered when users interact with the dropdown on the New Issue page, allowing the execution of scripts in their browsers due to the decoding and re-parsing of the compromised text. The vulnerability was addressed in version 0.14.3, ensuring better security practices.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-vcm...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8325
x_refsource_MISC
https://github.com/gogs/gogs/commit/573eacdc658641487f8ad...
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.