CVE-2026-26195 | THREATINT

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

PUBLISHED Reserved 2026-02-11 | Published 2026-03-05 | Updated 2026-03-06 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.14.2

affected

References

github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j

github.com/gogs/gogs/pull/8176

github.com/...ommit/ac21150a53bef3a3061f4da787ab193a8d68ecfc

github.com/gogs/gogs/releases/tag/v0.14.2

cve.org (CVE-2026-26195)

nvd.nist.gov (CVE-2026-26195)

Download JSON