CVE-2026-26022

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description Gogs, a self-hosted Git service, contains a stored cross-site scripting (XSS) issue in the comment and issue description functionality. The HTML sanitizer allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution through malicious links. The vulnerability resides in the internal/markup/sanitizer.go file, where the bluemonday HTML sanitizer is configured to allow data URLs. Raw HTML anchor tags bypass the Markdown parser and are processed directly by the sanitizer, allowing payloads like <a href="data:text/html..."> to be rendered. Exploitation involves creating a file with malicious HTML content, committing and pushing it to a repository, and then clicking the link in the Gogs web interface. Successful exploitation allows attackers to steal authentication cookies, perform actions on behalf of the victim, or redirect users to malicious sites.

Recommendations Versions prior to 0.14.2 should be updated to version 0.14.2 or later.