PT-2026-55302 · Forgejo · Forgejo

George Chen

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-59102

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Forgejo versions prior to 15.0.3
Description Authenticated attackers can execute arbitrary JavaScript in the browsers of other users. This occurs when the DEFAULT SHOW FULL NAME option is enabled and an attacker sets a full name containing an HTML payload. The issue arises because a server-side translation function fails to escape arguments when assembling the run description for an Actions run, and the frontend subsequently renders this content using a Vue v-html binding, which allows the execution of the injected script when a user views the affected Actions run page.
Recommendations Update to version 15.0.3 or later. Disable the DEFAULT SHOW FULL NAME option as a temporary mitigation measure.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59102

Affected Products

Forgejo