CVE-2026-26195
EPSS 0.04%Gogs: Stored XSS in branch and wiki views through author and committer names
描述
### Summary Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs. ### Details `safe()` still turns off escaping: - internal/template/template.go - `func safe(raw string) template.HTML { return template.HTML(raw) }` Branch pages still render committer names using `safe()`: - templates/repo/branches/overview.tmpl - templates/repo/branches/all.tmpl - templates/repo/wiki/view.tmpl The locale still injects a raw second argument: conf/locale/locale_en-US.ini (`branches.updated_by = updated %[1]s by %[2]s`) ### Impact An attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions. ### Recommended Fix - Untrusted arguments should be escaped before being used in translations. - Data URLs should be limited or blocked in the sanitizer. ### Remediation A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.
受影響套件(2)
- Go/gogs.io/gogsfrom 0, <= 0.13.3
- Go/gogs.io/gogsfrom 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26195
- PATCHhttps://github.com/gogs/gogs
- WEBhttps://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc
- WEBhttps://github.com/gogs/gogs/pull/8176
- WEBhttps://github.com/gogs/gogs/releases/tag/v0.14.2
- WEBhttps://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j