CVE-2026-52798

Name of the Vulnerable Software and Affected Versions Gogs (affected versions not specified)

Description A stored cross-site scripting issue exists due to the use of an outdated notebookjs library. While .ipynb previews are sanitized on the server side via the '/-/api/sanitize ipynb' endpoint, content within elements with the .nb-markdown-cell class is re-rendered on the client side using the marked() function without further sanitization. This allows links containing the javascript: scheme to be regenerated. An attacker can commit a crafted .ipynb file to a repository; when a victim views the file and clicks the malicious link, arbitrary JavaScript is executed within the Gogs origin. This can lead to unauthorized actions using the victim's account privileges, theft of sensitive information, or instance-wide configuration changes if the victim is an administrator.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.