Stored Cross-Site Scripting Vulnerability in Forgejo by Codeberg
CVE-2026-59102
Key Information:
Badges
What is CVE-2026-59102?
Forgejo, a platform developed by Codeberg, is vulnerable to a stored cross-site scripting attack that can be exploited by authenticated users. Attackers can embed malicious JavaScript code into the display name field. When the DEFAULT_SHOW_FULL_NAME option is activated, this name gets rendered into an HTML string without proper escaping. This vulnerability becomes critical when a user views an affected Actions run page, as their browser executes the injected script, potentially leading to unauthorized actions or information theft. Users are urged to update to version 15.0.3 or later to mitigate this risk.
Affected Version(s)
forgejo 0 < 15.0.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
