Stored Cross-Site Scripting Vulnerability in Forgejo by Codeberg
CVE-2026-59102

2.1LOW

Key Information:

Vendor

Forgejo

Status
Vendor
CVE Published:
2 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-59102?

Forgejo, a platform developed by Codeberg, is vulnerable to a stored cross-site scripting attack that can be exploited by authenticated users. Attackers can embed malicious JavaScript code into the display name field. When the DEFAULT_SHOW_FULL_NAME option is activated, this name gets rendered into an HTML string without proper escaping. This vulnerability becomes critical when a user views an affected Actions run page, as their browser executes the injected script, potentially leading to unauthorized actions or information theft. Users are urged to update to version 15.0.3 or later to mitigate this risk.

Affected Version(s)

forgejo 0 < 15.0.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.