logo

Database

Server side cross-site scripting In gogs.io/gogs

Description

Gogs: Stored XSS in branch and wiki views through author and committer names

Summary

Stored XSS is still possible through unsafe template rendering that mixes user input with safe() plus permissive sanitizer handling of data URLs.

Details

safe() still turns off escaping:

    internal/template/template.go

    func safe(raw string) template.HTML { return template.HTML(raw) }

Branch pages still render committer names using safe():

    templates/repo/branches/overview.tmpl

    templates/repo/branches/all.tmpl

    templates/repo/wiki/view.tmpl

The locale still injects a raw second argument: conf/locale/locale_en-US.ini (branches.updated_by = updated %[1]s by %[2]s)

Impact

An attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.

Recommended Fix

    Untrusted arguments should be escaped before being used in translations.

    Data URLs should be limited or blocked in the sanitizer.

Remediation

A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-261952. NVD-2026-261953. OSV-2026-261954. GHSA-vgvf-m4fw-938j5. GCVE-2026-26195

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j2. https://github.com/gogs/gogs/pull/81763. https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc4. https://github.com/gogs/gogs/releases/tag/v0.14.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.