CVE-2026-59102
Received Received - Intake

Stored XSS in Forgejo via Actions Run Description

Vulnerability report for CVE-2026-59102, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
forgejo forgejo to 15.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59102 is a stored cross-site scripting (XSS) vulnerability in Forgejo versions before 15.0.3. It allows authenticated attackers to inject malicious JavaScript code into other users' browsers by setting their full name to include an HTML payload and then triggering an Actions run.

This happens when the DEFAULT_SHOW_FULL_NAME option is enabled. The server assembles the run description by inserting the user's display name into an HTML string without escaping special characters. The frontend then renders this string using Vue's v-html binding, which executes any embedded scripts when other users view the affected Actions run page.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in their browsers when they view a compromised Actions run page. This could lead to session hijacking, unauthorized actions performed on behalf of the user, or exposure of sensitive information accessible through the browser.

Since the attack requires an authenticated user to inject the payload and relies on other users viewing the affected page, the risk is limited but still significant in environments where trusted users interact with Actions runs.

Detection Guidance

This vulnerability can be detected by checking if your Forgejo instance is running a version before 15.0.3 and if the DEFAULT_SHOW_FULL_NAME option is enabled in the configuration.

You can also audit user Full Name fields for suspicious HTML or JavaScript payloads, especially if users have permissions to push to repositories with Actions enabled.

Since the vulnerability involves stored cross-site scripting in the Actions run description, reviewing recent Actions run pages for unexpected script execution or inspecting the HTML content of these pages may help detect exploitation.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Forgejo to version 15.0.3 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, consider disabling the DEFAULT_SHOW_FULL_NAME option in the app.ini configuration file to prevent the vulnerable code path from being executed.

Additionally, review and sanitize user Full Name fields to remove any embedded HTML or JavaScript payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart