CVE-2026-26022
Undergoing Analysis Undergoing Analysis - In Progress
Stored XSS in Gogs Comments via Data URI Scheme Injection

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-19
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-18
NVD
CVE-2026-26022
EUVD
EUVD-2026-9851
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26022 is a stored Cross-Site Scripting (XSS) vulnerability in Gogs, an open source self-hosted Git service. Prior to version 0.14.2, the application's HTML sanitizer allowed the use of the data: URI scheme without proper restrictions. This allowed authenticated users to inject malicious JavaScript via specially crafted data URI links embedded in raw HTML anchor tags within comments and issue descriptions."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the sanitizer permitted all data: URIs, including unsafe types like data:text/html or SVG images, which can contain executable scripts. Attackers could embed JavaScript payloads in these data URIs, which would execute in the browsers of users viewing the affected content.'}, {'type': 'paragraph', 'content': 'The issue was fixed by restricting the sanitizer to only allow data URIs with safe image MIME types (such as image/png, image/jpeg, image/gif, image/webp, and image/x-icon), effectively blocking executable script payloads embedded in data URIs.'}] [2, 1, 3]

Impact Analysis

This vulnerability can have serious security impacts if exploited. An attacker who is an authenticated user can inject malicious JavaScript into comments or issue descriptions that other users view.

  • Steal authentication cookies and session tokens from users, potentially hijacking their accounts.
  • Perform arbitrary actions on behalf of victims, such as modifying repositories or adding collaborators.
  • Redirect users to malicious websites, leading to further attacks or phishing.

The vulnerability has a high severity with a CVSS v3.1 base score of 8.7, indicating it is exploitable remotely with low complexity and requires only low privileges (authenticated users) and user interaction (clicking the malicious link).

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying stored Cross-Site Scripting (XSS) payloads embedded in the comment and issue description fields of the Gogs service, specifically those using raw HTML anchor tags with data URI schemes that execute JavaScript.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves creating or searching for comments or issues containing raw HTML anchor tags with href attributes using data:text/html or other unsafe data URI schemes that embed JavaScript payloads.'}, {'type': 'paragraph', 'content': 'To detect such payloads, you can search the database or exported data for patterns like `<a href="data:text/html;base64,` or other data URI schemes that are not safe image MIME types.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on exported issue/comment data: `grep -r \'<a href="data:text/html\' /path/to/gogs/data`'}, {'type': 'list_item', 'content': 'Query the database for comments or issues containing suspicious data URI links, e.g., using SQL: `SELECT * FROM comments WHERE content LIKE \'%<a href="data:%\'`'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated users to inject malicious links, monitoring logs for unusual or suspicious comment submissions containing raw HTML with data URIs can also help detect exploitation attempts.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Gogs to version 0.14.2 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch restricts the HTML sanitizer's allowance of the data URI scheme to only safe image MIME types (image/png, image/jpeg, image/gif, image/webp, image/x-icon), preventing execution of malicious JavaScript embedded in data URIs."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider applying the patch that modifies the sanitizer to use a custom validation function to whitelist safe data URI MIME types and reject others.'}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize existing comments and issue descriptions to remove any malicious data URI links.'}, {'type': 'paragraph', 'content': 'Limit user privileges to reduce the risk of authenticated users injecting malicious content, and educate users to avoid clicking suspicious links.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart