Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Gogs: Stored XSS in branch and wiki views through author and committer names
CVE-2026-26195
GHSA-vgvf-m4fw-938j
Summary
### Summary
Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs.
### Details
`safe()` still turns off escaping:
- internal/template/template.go
- `func safe(raw string) template.HTML { return template.H...
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gogs.io | gogs | <= 0.13.3 | – |
| gogs | gogs | <= 0.14.2 | – |
Original title
Gogs: Stored XSS in branch and wiki views through author and committer names
Original description
### Summary
Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs.
### Details
`safe()` still turns off escaping:
- internal/template/template.go
- `func safe(raw string) template.HTML { return template.HTML(raw) }`
Branch pages still render committer names using `safe()`:
- templates/repo/branches/overview.tmpl
- templates/repo/branches/all.tmpl
- templates/repo/wiki/view.tmpl
The locale still injects a raw second argument: conf/locale/locale_en-US.ini (`branches.updated_by = updated %[1]s by %[2]s`)
### Impact
An attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.
### Recommended Fix
- Untrusted arguments should be escaped before being used in translations.
- Data URLs should be limited or blocked in the sanitizer.
### Remediation
A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.
Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs.
### Details
`safe()` still turns off escaping:
- internal/template/template.go
- `func safe(raw string) template.HTML { return template.HTML(raw) }`
Branch pages still render committer names using `safe()`:
- templates/repo/branches/overview.tmpl
- templates/repo/branches/all.tmpl
- templates/repo/wiki/view.tmpl
The locale still injects a raw second argument: conf/locale/locale_en-US.ini (`branches.updated_by = updated %[1]s by %[2]s`)
### Impact
An attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.
### Recommended Fix
- Untrusted arguments should be escaped before being used in translations.
- Data URLs should be limited or blocked in the sanitizer.
### Remediation
A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.
nvd CVSS3.1
6.1
nvd CVSS4.0
6.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc Patch
- https://github.com/gogs/gogs/pull/8176 Issue Tracking
- https://github.com/gogs/gogs/releases/tag/v0.14.2 Release Notes
- https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26195
- https://github.com/advisories/GHSA-vgvf-m4fw-938j
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026