GHSA-vgjm-2cpf-4g7c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vgjm-2cpf-4g7c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vgjm-2cpf-4g7c/GHSA-vgjm-2cpf-4g7c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vgjm-2cpf-4g7c
- Aliases
- Published
- 2026-03-05T20:16:20Z
- Modified
- 2026-03-23T04:56:07.977783395Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Gogs: DOM-based XSS via milestone selection
- Details
-
Summary
It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (
/issues/new), a DOM-Based XSS is triggered.Impact
- Theft of information accessible in the victim’s session.
- Extraction of CSRF tokens and submission of state-changing requests with the victim’s privileges.
- Repository operations performed with the victim’s privileges (Issue operations, settings changes, etc.).
(The impact scope depends on the victim’s permission level.)
Remediation
A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2026-03-05T19:16:04Z", "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-03-05T20:16:20Z", "severity": "HIGH" }- References
-
- https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c
- https://nvd.nist.gov/vuln/detail/CVE-2026-26276
- https://github.com/gogs/gogs/pull/8178
- https://github.com/gogs/gogs/commit/9001a68cdda7bd9c078ffd6d1c4622905ac11e5c
- https://github.com/gogs/gogs
- https://github.com/gogs/gogs/releases/tag/v0.14.2
Affected packages
Go / gogs.io/gogs
Package
- Name
- gogs.io/gogs
- View open source insights on deps.dev
- Purl
- pkg:golang/gogs.io/gogs