High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 7, 2026
Gogs: DOM-based XSS via milestone selection
CVE-2026-26276
Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | <= 0.13.3 | — |
Affected products
1Patches
19001a68cdda7js: use safe DOM construction for milestone and assignee selection (#8178)
2 files changed · +12 −21
CHANGELOG.md+1 −0 modified@@ -7,6 +7,7 @@ All notable changes to Gogs are documented in this file. ### Fixed - _Security:_ Cross-repository LFS object overwrite via missing content hash verification. [#8166](https://github.com/gogs/gogs/pull/8166) - [GHSA-gmf8-978x-2fg2](https://github.com/gogs/gogs/security/advisories/GHSA-gmf8-978x-2fg2) +- _Security:_ DOM-based XSS via issue meta selection on the issue page. [#8178](https://github.com/gogs/gogs/pull/8178) - [GHSA-vgjm-2cpf-4g7c](https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c) ### Removed
public/js/gogs.js+11 −21 modified@@ -240,29 +240,19 @@ function initCommentForm() { } switch (input_id) { case "#milestone_id": - $list - .find(".selected") - .html( - '<a class="item" href=' + - $(this).data("href") + - ">" + - $(this).text() + - "</a>" - ); + var $milestoneAnchor = $('<a class="item"></a>'); + $milestoneAnchor.attr("href", $(this).data("href")); + $milestoneAnchor.text($(this).text()); + $list.find(".selected").empty().append($milestoneAnchor); break; case "#assignee_id": - $list - .find(".selected") - .html( - '<a class="item" href=' + - $(this).data("href") + - ">" + - '<img class="ui avatar image" src=' + - $(this).data("avatar") + - ">" + - $(this).text() + - "</a>" - ); + var $assigneeAnchor = $('<a class="item"></a>'); + $assigneeAnchor.attr("href", $(this).data("href")); + $assigneeAnchor.append( + $('<img class="ui avatar image">').attr("src", $(this).data("avatar")) + ); + $assigneeAnchor.append($("<span></span>").text($(this).text())); + $list.find(".selected").empty().append($assigneeAnchor); } $(".ui" + select_id + ".list .no-select").addClass("hide"); $(input_id).val($(this).data("id"));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vgjm-2cpf-4g7cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26276ghsaADVISORY
- github.com/gogs/gogs/commit/9001a68cdda7bd9c078ffd6d1c4622905ac11e5cghsaWEB
- github.com/gogs/gogs/pull/8178ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.2ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.