CVE-2026-26276

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description Gogs, a self-hosted Git service, is affected by a DOM-Based Cross-Site Scripting (XSS) issue. An attacker can inject an HTML/JavaScript payload into a repository’s Milestone name. When another user selects this Milestone on the New Issue page (/issues/new), the malicious script is executed, potentially leading to information theft, CSRF token extraction, and unauthorized repository operations. The impact scope depends on the victim’s permission level. The vulnerable parameter is the Milestone name.

Recommendations Update to version 0.14.2 or later.