CVE-2026-26276
DOM-Based XSS in Gogs Milestone Names Allows Code Execution
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.14.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26276 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the Gogs project, an open source self-hosted Git service. The vulnerability occurs because user-controlled input, specifically the Milestone name in a repository, is inserted into the web page's DOM using unsafe methods that allow malicious HTML or JavaScript to execute. An attacker can store a malicious script in a Milestone name, and when another user selects that Milestone on the New Issue page, the script executes in the victim's browser."}, {'type': 'paragraph', 'content': 'The root cause is unsafe string concatenation combined with jQuery’s `.html()` method, which interprets user input as executable HTML. The fix involved replacing these unsafe methods with safer DOM construction methods like `.text()`, `.attr()`, and `document.createTextNode()`, ensuring user input is treated as plain text and preventing script execution.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including theft of sensitive information accessible within the victim’s session, such as CSRF tokens. An attacker can perform unauthorized actions on behalf of the victim, including managing issues and changing repository settings, depending on the victim’s permission level.
Because the attack executes in the victim’s browser context, it requires the victim to interact with the malicious Milestone selection. The vulnerability has a high severity score (CVSS 7.3) due to its potential to compromise confidentiality and integrity without affecting availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a DOM-based Cross-Site Scripting (XSS) triggered by malicious HTML/JavaScript payloads stored in repository Milestone names and executed when a user selects that Milestone on the New Issue page.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should check if your Gogs instance is running a version prior to 0.14.2, as those versions are vulnerable.'}, {'type': 'paragraph', 'content': 'You can inspect repository Milestone names for suspicious HTML or JavaScript content that could be used to trigger XSS.'}, {'type': 'paragraph', 'content': 'Since this is a web application vulnerability, network detection might involve monitoring HTTP traffic for suspicious payloads in requests related to Milestone creation or updates.'}, {'type': 'paragraph', 'content': 'Suggested commands include querying your Gogs database for Milestone names containing HTML tags or script elements. For example, if you have access to the database, you could run a SQL query like:'}, {'type': 'list_item', 'content': "SELECT * FROM milestones WHERE name LIKE '%<script>%' OR name LIKE '%<img%' OR name LIKE '%<iframe%';"}, {'type': 'paragraph', 'content': 'Additionally, you can use web application security scanners or browser developer tools to test the /issues/new page by selecting Milestones and observing if any scripts execute.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Gogs installation to version 0.14.2 or later, where this vulnerability has been fixed.
The fix involves safe DOM manipulation practices replacing unsafe string concatenation and usage of jQuery’s .html() method with safer methods like .text(), .attr(), and document.createTextNode(), preventing execution of malicious scripts.
Until you can upgrade, avoid using or selecting Milestones that may contain untrusted or suspicious input.
Review and sanitize existing Milestone names in your repositories to remove any potentially malicious HTML or JavaScript content.
Consider restricting permissions to limit who can create or modify Milestones to trusted users only.