Main Vulnerability Database Vulnerabilities #VU134911

Cross-site scripting in gogs - CVE-2026-52798

Published: June 19, 2026

Vulnerability identifier: #VU134911

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-52798

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser within the Gogs origin.

The vulnerability exists due to cross-site scripting in the .ipynb preview markdown cell renderer when re-rendering sanitized notebook content on the client side. A remote user can commit a specially crafted .ipynb file containing a javascript: link and trick the victim into clicking the rendered link to execute arbitrary JavaScript in the victim's browser within the Gogs origin.

User interaction is required to click the rendered link in the notebook preview.

How to mitigate CVE-2026-52798

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw

Cross-site scripting in gogs - CVE-2026-52798

Detailed vulnerability description

How to mitigate CVE-2026-52798

Sources

Please verify you're human