Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and …

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in Gogs, an open source self-hosted Git service, affecting versions prior to 0.14.2. Attackers can inject HTML/JavaScript payloads into repository Milestone names, which execute when other users select the milestone on the New Issue page (/issues/new). The vulnerability allows stored malicious code execution in the context of other users' browsers. This security flaw has been addressed and patched in Gogs version 0.14.2. Users should upgrade to the latest version to mitigate this risk.