CVE-2026-26195

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description Gogs, a self-hosted Git service, contains a stored cross-site scripting (XSS) issue due to unsafe template rendering. The issue arises from mixing user input with permissive sanitizer handling of data URLs and the use of the safe() function, which disables escaping. Specifically, committer names on branch pages and arguments within locale files are vulnerable to injection. An attacker who can inject commit metadata, such as author or committer name, can trigger script execution on affected pages, potentially leading to session abuse, Cross-Site Request Forgery (CSRF) token theft, or unauthorized actions. The safe() function in internal/template/template.go allows bypassing escaping mechanisms. The vulnerability is present in templates/repo/branches/overview.tmpl, templates/repo/branches/all.tmpl, and templates/repo/wiki/view.tmpl. The locale file conf/locale/locale en-US.ini also contributes to the issue by injecting raw arguments.

Recommendations Update to version 0.14.2 or later.