top of page
perceptive_background_267k.jpg

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and …

Published:

4 March 2026 at 23:00:00

Alert date:

5 March 2026 at 20:09:02

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in Gogs, an open source self-hosted Git service, affecting versions prior to 0.14.2. Attackers can inject HTML/JavaScript payloads into repository Milestone names, which execute when other users select the milestone on the New Issue page (/issues/new). The vulnerability allows stored malicious code execution in the context of other users' browsers. This security flaw has been addressed and patched in Gogs version 0.14.2. Users should upgrade to the latest version to mitigate this risk.

Technical details

Mitigation steps:

Affected products:

Gogs

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-26276
https://github.com/gogs/gogs/pull/8178
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page