Main Vulnerability Database Vulnerabilities #VU134899

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in gogs - #VU134899

Published: June 19, 2026

Vulnerability identifier: #VU134899

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in the .ipynb file renderer when rendering user-supplied Jupyter notebook files. A remote user can create a crafted repository file and trick the victim into visiting the rendered file to execute arbitrary script in the victim's browser.

The issue can lead to account takeover when the victim views the malicious notebook file.

Remediation

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in gogs - #VU134899

Detailed vulnerability description

Remediation

Sources

Please verify you're human