Executive Summary

CVE-2026-26195 is a stored Cross-Site Scripting (XSS) vulnerability in the Gogs self-hosted Git service affecting versions prior to 0.14.2. The issue arises because untrusted user input, specifically git commit author and committer names, are directly inserted into locale strings used in templates without proper HTML escaping. These names are passed through a safe template function that disables HTML escaping, allowing malicious input to be rendered as executable code in views such as branch overview, branch list, and wiki pages.

The root cause is unsafe template rendering that mixes user input with a permissive sanitizer that does not fully neutralize potentially harmful content, especially data URLs. The vulnerability allows attackers who can inject commit metadata to execute arbitrary scripts in the web interface.

The issue was fixed in version 0.14.2 by introducing proper sanitization and escaping of these user inputs before they are inserted into locale strings, using functions like HTMLEscapeString and Sanitize to ensure special characters are safely encoded.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker who can control commit author or committer names to inject malicious scripts into the Gogs web interface. When other users view affected pages such as branch overviews or wiki pages, these scripts can execute in their browsers.'}, {'type': 'list_item', 'content': "Execution of arbitrary JavaScript code in users' browsers."}, {'type': 'list_item', 'content': 'Potential session hijacking by stealing authentication cookies.'}, {'type': 'list_item', 'content': 'Cross-Site Request Forgery (CSRF) token theft leading to unauthorized actions.'}, {'type': 'list_item', 'content': 'General compromise of user accounts or data accessible through the web interface.'}] [3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Gogs instance is running a version prior to 0.14.2 where unsafe template rendering of commit author or committer names occurs.'}, {'type': 'paragraph', 'content': 'You can check the Gogs version by running the following command on the server hosting Gogs:'}, {'type': 'list_item', 'content': 'curl -s http://your-gogs-instance/api/v1/version'}, {'type': 'paragraph', 'content': 'Additionally, you can inspect commit metadata for suspicious or malicious content in author or committer names that might exploit the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, to list recent commits with author and committer names, you can use git commands in your repositories:'}, {'type': 'list_item', 'content': 'git log --pretty=format:"%h %an %cn %s"'}, {'type': 'paragraph', 'content': 'Look for unusual or suspicious characters or scripts in the author or committer names that could indicate exploitation attempts.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade your Gogs installation to version 0.14.2 or later, where the vulnerability has been patched by properly escaping untrusted user input in templates.

If upgrading immediately is not possible, you should:

• Avoid injecting or accepting untrusted commit metadata such as author or committer names that could contain malicious scripts.
• Review and sanitize commit metadata before it is rendered in the web interface.
• Limit or block data URLs in the sanitizer configuration to reduce risk from permissive data URL handling.

These steps help prevent exploitation of the stored XSS vulnerability until you can apply the official patch.

Useful 0 Not Useful 0