CVE-2026-52816
Received Received - Intake
Stored XSS in Gogs via Unrestricted data URI in Sanitizer

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52816
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)
jupyter jupyter_notebook to 0.14.3 (exc)
bluemonday bluemonday *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, specifically in versions prior to 0.14.3. The issue is with the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb, which improperly allows arbitrary data: URIs without sufficient restrictions.

The sanitizer uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data"), which permits all data URI schemes, including data:text/html. This enables attackers to inject malicious HTML or JavaScript code, leading to Cross-Site Scripting (XSS).

Additionally, the endpoint lacks authentication middleware, meaning any registered user can exploit this vulnerability.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, where an attacker injects malicious HTML or JavaScript code into the application.

Because the sanitizer endpoint allows arbitrary data URIs and lacks authentication, any registered user can exploit this to execute malicious scripts in the context of other users.

Such attacks can result in unauthorized actions, data theft, session hijacking, or other malicious activities affecting users of the Gogs service.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue with the Jupyter Notebook sanitizer endpoint has been fixed.

Since the vulnerability allows arbitrary data URIs including malicious HTML/JavaScript and lacks authentication middleware, restricting access to the sanitizer endpoint and applying proper authentication controls can help reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52816. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart