SB2026042780 - Multiple vulnerabilities in gogs
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-26276)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the victim's browser and disclose sensitive information or perform unauthorized actions.
The vulnerability exists due to cross-site scripting in milestone selection on the New Issue page when rendering a repository's milestone name. A remote user can store a crafted HTML/JavaScript payload in a milestone name to execute arbitrary script in the victim's browser and disclose sensitive information or perform unauthorized actions.
User interaction is required when another user selects the crafted milestone on /issues/new.
2) Use of GET Request Method With Sensitive Query Strings (CVE-ID: CVE-2026-26196)
CWE-ID: CWE-598 - Information Exposure Through Query Strings in GET Request
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of get request method with sensitive query strings in the API authentication logic when processing API requests with token or access_token URL parameters. A remote user can send a request with an access token in the query string to disclose sensitive information.
Exposed tokens may leak through logs, browser history, shell history, and referrer headers, and may be reused until revoked.
3) Cross-site scripting (CVE-ID: CVE-2026-26195)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a user's browser.
The vulnerability exists due to cross-site scripting in branch and wiki views when rendering author and committer names in affected pages. A remote user can inject crafted commit metadata to execute arbitrary script in a user's browser.
Exploitation requires the ability to inject commit metadata such as an author or committer name.
4) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-26194)
CWE-ID: CWE-88 - Argument Injection or Modification
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper neutralization of argument delimiters in internal/database/release.go when deleting a release with a user-controlled tag name. A remote user can create a tag name beginning with a dash and trigger release deletion to cause a denial of service.
Exploitation requires the ability to introduce a tag name that starts with a dash into the repository and then invoke release deletion through the web UI or API.
5) Cross-site scripting (CVE-ID: CVE-2026-26022)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser context.
The vulnerability exists due to improper neutralization of script-related content in internal/markup/sanitizer.go when processing raw HTML links containing data: URIs in issue comments and descriptions. A remote user can inject a crafted link to execute arbitrary JavaScript in a victim's browser context.
User interaction is required, and the victim must click the crafted link.
Remediation
Install update from vendor's website.
References
- https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c
- https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc
- https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j
- https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm
- https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j