Moderate severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Gogs: Stored XSS in branch and wiki views through author and committer names
CVE-2026-26195
Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | <= 0.13.3 | — |
Affected products
1Patches
1ac21150a53betemplate: escape untrusted names in locale strings piped through Safe (#8176)
4 files changed · +16 −5
.claude/commands/ghsa.md+11 −0 added@@ -0,0 +1,11 @@ +Analyze and help fix the GitHub Security Advisory (GHSA) at: $ARGUMENTS + +Steps: +1. Fetch the GHSA page using `gh api repos/gogs/gogs/security-advisories` and understand the vulnerability details (description, severity, affected versions, CWE). +2. Verify the reported vulnerability actually exists, and why. +3. Identify the affected code in this repository. +4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns. +5. Implement the fix. Only add tests when there is something meaningful to test at our layer. +6. Run all the usual build and test commands. +7. Create a branch named after the GHSA ID, commit, and push. +8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
templates/repo/branches/all.tmpl+1 −1 modified@@ -14,7 +14,7 @@ <div class="ui eleven wide column"> {{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a> {{$timeSince := TimeSince .Commit.Committer.When $.Lang}} - <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span> + <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span> </div> <div class="ui four wide column"> {{if and (and (eq $.BranchName .Name) $.IsRepositoryAdmin) (not $.Repository.IsMirror)}}
templates/repo/branches/overview.tmpl+3 −3 modified@@ -13,7 +13,7 @@ <div class="ui eleven wide column"> {{if .DefaultBranch.IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .DefaultBranch.Name}}"><code>{{.DefaultBranch.Name}}</code></a> {{$timeSince := TimeSince .DefaultBranch.Commit.Committer.When $.Lang}} - <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .DefaultBranch.Commit.Committer.Name | Safe}}</span> + <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .DefaultBranch.Commit.Committer.Name) | Safe}}</span> </div> {{if and $.IsRepositoryAdmin (not $.Repository.IsMirror)}} <div class="ui four wide column"> @@ -33,7 +33,7 @@ <div class="ui eleven wide column"> {{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a> {{$timeSince := TimeSince .Commit.Committer.When $.Lang}} - <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span> + <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span> </div> {{if and $.IsRepositoryWriter $.AllowPullRequest}} <div class="ui four wide column"> @@ -55,7 +55,7 @@ <div class="ui eleven wide column"> {{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a> {{$timeSince := TimeSince .Commit.Committer.When $.Lang}} - <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span> + <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span> </div> {{if and $.IsRepositoryWriter $.AllowPullRequest}} <div class="ui four wide column">
templates/repo/wiki/view.tmpl+1 −1 modified@@ -58,7 +58,7 @@ {{end}} <div class="ui sub header"> {{$timeSince := TimeSince .Author.When $.Lang}} - {{.i18n.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}} + {{.i18n.Tr "repo.wiki.last_commit_info" (Sanitize .Author.Name) $timeSince | Safe}} </div> </div> <div class="markdown has-emoji">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vgvf-m4fw-938jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26195ghsaADVISORY
- github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfcghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8176ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.2ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.