CVE-2026-52816
Deferred Deferred - Pending Action

Stored XSS in Gogs via Unrestricted data URI in Sanitizer

Vulnerability report for CVE-2026-52816, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)
jupyter jupyter_notebook to 0.14.3 (exc)
bluemonday bluemonday *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Gogs allows Cross-Site Scripting (XSS) attacks via the Jupyter Notebook sanitizer endpoint, which could lead to unauthorized execution of malicious scripts when viewing notebook files.

Such XSS vulnerabilities can potentially lead to unauthorized access to sensitive data or user sessions, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with specific standards or regulations.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, specifically in versions prior to 0.14.3. The issue is with the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb, which improperly allows arbitrary data: URIs without sufficient restrictions.

The sanitizer uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data"), which permits all data URI schemes, including data:text/html. This enables attackers to inject malicious HTML or JavaScript code, leading to Cross-Site Scripting (XSS).

Additionally, the endpoint lacks authentication middleware, meaning any registered user can exploit this vulnerability.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript code into the application.

Because the sanitizer endpoint allows arbitrary data URIs and lacks authentication, any registered user can exploit this to execute malicious scripts in the context of other users.

Such attacks can result in unauthorized actions, data theft, session hijacking, or other malicious activities affecting users of the Gogs service.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue with the Jupyter Notebook sanitizer endpoint has been fixed.

Since the vulnerability allows arbitrary data URIs including malicious HTML/JavaScript and lacks authentication middleware, restricting access to the sanitizer endpoint and applying proper authentication controls can help reduce risk until the upgrade is applied.

Detection Guidance

This vulnerability can be detected by checking if your Gogs instance is running a version prior to 0.14.3 and if the POST /-/api/sanitize_ipynb endpoint is accessible without authentication.

You can attempt to detect the vulnerability by sending a crafted POST request to the vulnerable endpoint with a payload containing a data URI using a potentially malicious MIME type such as data:text/html and observing if the response improperly sanitizes it.

Example command using curl to test the endpoint:

  • curl -X POST https://your-gogs-instance/-/api/sanitize_ipynb -d '{"content":"data:text/html,<script>alert(1)</script>"}' -H 'Content-Type: application/json' -v

If the response contains the script tag or the data URI is not properly sanitized, the system is vulnerable.

Additionally, checking the version of Gogs running on your system can help determine if the vulnerability is present, as versions 0.14.3 and later include the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart