CVE-2025-47943

Name of the Vulnerable Software and Affected Versions: Gogs versions 0.14.0+dev and prior

Description: Gogs is an open source self-hosted Git service. The issue is a stored cross-site scripting (XSS) vulnerability, which allows client-side Javascript code execution. This is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20, located in public/plugins/.

Recommendations: For versions 0.14.0+dev and prior, update to version 0.13.3 or later to resolve the issue. As a temporary workaround, consider disabling the pdfjs-1.4.20 component under public/plugins/ until a patch is available.