CVE-2026-26022
Stored XSS in Gogs Comments via Data URI Scheme Injection
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.14.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26022 is a stored Cross-Site Scripting (XSS) vulnerability in Gogs, an open source self-hosted Git service. Prior to version 0.14.2, the application's HTML sanitizer allowed the use of the data: URI scheme without proper restrictions. This allowed authenticated users to inject malicious JavaScript via specially crafted data URI links embedded in raw HTML anchor tags within comments and issue descriptions."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the sanitizer permitted all data: URIs, including unsafe types like data:text/html or SVG images, which can contain executable scripts. Attackers could embed JavaScript payloads in these data URIs, which would execute in the browsers of users viewing the affected content.'}, {'type': 'paragraph', 'content': 'The issue was fixed by restricting the sanitizer to only allow data URIs with safe image MIME types (such as image/png, image/jpeg, image/gif, image/webp, and image/x-icon), effectively blocking executable script payloads embedded in data URIs.'}] [2, 1, 3]
How can this vulnerability impact me? :
This vulnerability can have serious security impacts if exploited. An attacker who is an authenticated user can inject malicious JavaScript into comments or issue descriptions that other users view.
- Steal authentication cookies and session tokens from users, potentially hijacking their accounts.
- Perform arbitrary actions on behalf of victims, such as modifying repositories or adding collaborators.
- Redirect users to malicious websites, leading to further attacks or phishing.
The vulnerability has a high severity with a CVSS v3.1 base score of 8.7, indicating it is exploitable remotely with low complexity and requires only low privileges (authenticated users) and user interaction (clicking the malicious link).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying stored Cross-Site Scripting (XSS) payloads embedded in the comment and issue description fields of the Gogs service, specifically those using raw HTML anchor tags with data URI schemes that execute JavaScript.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves creating or searching for comments or issues containing raw HTML anchor tags with href attributes using data:text/html or other unsafe data URI schemes that embed JavaScript payloads.'}, {'type': 'paragraph', 'content': 'To detect such payloads, you can search the database or exported data for patterns like `<a href="data:text/html;base64,` or other data URI schemes that are not safe image MIME types.'}, {'type': 'list_item', 'content': 'Use grep or similar tools on exported issue/comment data: `grep -r \'<a href="data:text/html\' /path/to/gogs/data`'}, {'type': 'list_item', 'content': 'Query the database for comments or issues containing suspicious data URI links, e.g., using SQL: `SELECT * FROM comments WHERE content LIKE \'%<a href="data:%\'`'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated users to inject malicious links, monitoring logs for unusual or suspicious comment submissions containing raw HTML with data URIs can also help detect exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Gogs to version 0.14.2 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch restricts the HTML sanitizer's allowance of the data URI scheme to only safe image MIME types (image/png, image/jpeg, image/gif, image/webp, image/x-icon), preventing execution of malicious JavaScript embedded in data URIs."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider applying the patch that modifies the sanitizer to use a custom validation function to whitelist safe data URI MIME types and reject others.'}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize existing comments and issue descriptions to remove any malicious data URI links.'}, {'type': 'paragraph', 'content': 'Limit user privileges to reduce the risk of authenticated users injecting malicious content, and educate users to avoid clicking suspicious links.'}] [1, 3]