PT-2026-55302 · Forgejo · Forgejo
George Chen
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-59102
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Forgejo versions prior to 15.0.3
Description
Authenticated attackers can execute arbitrary JavaScript in the browsers of other users. This occurs when the
DEFAULT SHOW FULL NAME option is enabled and an attacker sets a full name containing an HTML payload. The issue arises because a server-side translation function fails to escape arguments when assembling the run description for an Actions run, and the frontend subsequently renders this content using a Vue v-html binding, which allows the execution of the injected script when a user views the affected Actions run page.Recommendations
Update to version 15.0.3 or later.
Disable the
DEFAULT SHOW FULL NAME option as a temporary mitigation measure.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Forgejo