CVE-2026-52807

Name of the Vulnerable Software and Affected Versions Gogs (affected versions not specified) Gitea (affected versions not specified)

Description A stored DOM-based Cross-Site Scripting (XSS) issue exists where an attacker can store an HTML or JavaScript payload in a milestone name. When a user opens the New Issue page and interacts with the milestone dropdown, the payload executes in the browser. This occurs because the milestone dropdown in templates/repo/issue/new form.tmpl does not apply the necessary sanitization. While Go's default auto-escaping is used, the Semantic UI 2.4.2 dropdown component uses preserveHTML: true by default. When an item is selected, the internal set.text() method uses jQuery's .html() function, which re-parses the decoded text as HTML and triggers the execution of the injected script. This can lead to session hijacking, stealing session cookies, or unauthorized actions performed as the victim.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.