Main Vulnerability Database Vulnerabilities #VU135000

Cross-site scripting in Gitea - CVE-2026-28737

Published: June 22, 2026

Vulnerability identifier: #VU135000

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28737

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Gitea Authors

Affected software:
Gitea

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser within the Gitea origin.

The vulnerability exists due to cross-site scripting in the built-in 3D file viewer error display when parsing crafted .gltf files with unsupported extensionsRequired values. A remote user can push a specially crafted .gltf file to a repository and trigger script execution when the file is viewed to execute arbitrary JavaScript in the victim's browser within the Gitea origin.

User interaction is required to view the crafted file page in the Gitea web UI.

How to mitigate CVE-2026-28737

Install security update from vendor's website.

Sources

https://github.com/go-gitea/gitea/security/advisories/GHSA-9cpj-qc93-vw8v

Cross-site scripting in Gitea - CVE-2026-28737

Detailed vulnerability description

How to mitigate CVE-2026-28737

Sources

Please verify you're human