anonhaven
Ad

CVE-2026-26276

MEDIUM CVSS 3.1: 5.4 EPSS 0.03%
Updated Mar 05, 2026
Gogs
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions before 0.14.2
Fixed In 0.14.2
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Gogs
Public PoC No

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Gogs Gogs
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
 0.14.2

References 3

https://github.com/gogs/gogs/pull/8178
security-advisories@github.com
https://github.com/gogs/gogs/releases/tag/v0.14.2
security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-26196

Gogs

6.9

CVE-2026-26195

Gogs

6.9

CVE-2026-26194

Gogs

8.8

CVE-2026-26022

Gogs

5.4

CVE-2026-25921

Gogs

9.3