Cross-site Scripting (XSS) - Stored in go-gitea/gitea
Description
Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Gitea prior to 1.16.9 via crafted PDF files at the raw endpoint, allowing arbitrary JavaScript execution.
Vulnerability
The vulnerability is a stored cross-site scripting (XSS) in Gitea versions prior to 1.16.9, affecting the raw file serving endpoint. When a user uploads a PDF file, the server previously did not set proper Content-Security-Policy and Content-Type headers for PDF files. An attacker could upload a PDF containing malicious JavaScript, which would be rendered in the browser inline due to missing sandbox and CSP [1][4]. The fix was implemented in commit 65e0688a5c9dacad50e71024b7529fdf0e3c2e9c [4] and included in version 1.16.9.
Exploitation
An attacker needs the ability to upload files to a Gitea repository (e.g., as a contributor or via a public repository if uploads are allowed). The attacker uploads a specially crafted PDF file that contains embedded JavaScript. When a victim views the raw file via the raw endpoint, the browser renders the PDF inline without proper security headers, leading to execution of the malicious script in the victim's session context [1][4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the Gitea instance. This can lead to theft of session cookies, unauthorized actions on behalf of the victim, and potential compromise of the Gitea instance and its data [1].
Mitigation
The vulnerability is fixed in Gitea version 1.16.9, released on 2022-05-29. Users should upgrade to this version or later. The fix ensures that PDF files served from the raw endpoint are served with a restrictive Content-Security-Policy and Content-Type set to application/octet-stream, preventing inline execution [1][4]. There is no workaround other than upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.16.9 | 1.16.9 |
Affected products
3- osv-coords2 versions
< 1.16.9+ 1 more
- (no CPE)range: < 1.16.9
- (no CPE)range: < 1.16.9
- go-gitea/go-gitea/giteav5Range: unspecified
Patches
165e0688a5c9dFix raw endpoint PDF file headers (#19825)
2 files changed · +12 −4
modules/typesniffer/typesniffer.go+6 −2 modified@@ -17,8 +17,12 @@ import ( // Use at most this many bytes to determine Content Type. const sniffLen = 1024 -// SvgMimeType MIME type of SVG images. -const SvgMimeType = "image/svg+xml" +const ( + // SvgMimeType MIME type of SVG images. + SvgMimeType = "image/svg+xml" + // ApplicationOctetStream MIME type of binary files. + ApplicationOctetStream = "application/octet-stream" +) var ( svgTagRegex = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
routers/common/repo.go+6 −2 modified@@ -88,10 +88,14 @@ func ServeData(ctx *context.Context, name string, size int64, reader io.Reader) } if (st.IsImage() || st.IsPDF()) && (setting.UI.SVG.Enabled || !st.IsSvgImage()) { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) - if st.IsSvgImage() { + if st.IsSvgImage() || st.IsPDF() { ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff") - ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType) + if st.IsSvgImage() { + ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType) + } else { + ctx.Resp.Header().Set("Content-Type", typesniffer.ApplicationOctetStream) + } } } else { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-ph3w-2843-72mxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1928ghsaADVISORY
- security.gentoo.org/glsa/202210-14ghsavendor-advisoryWEB
- github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9cghsaWEB
- github.com/go-gitea/gitea/pull/19825ghsaWEB
- huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2ghsaWEB
News mentions
0No linked articles in our index yet.