VYPR
\n```\n\nWhile **regular HTML pages (including `.ipynb` preview pages)** are served **without a Content Security Policy (CSP)**, CSP headers are applied **only to attachment delivery routes**.\n\n`internal/cmd/web.go:323`\n\n```go\nc.Header().Set(\"Content-Security-Policy\", \"default-src 'none'; style-src 'unsafe-inline'; sandbox\")\n```\n\n\n# Steps to Reproduce\n\n1. As the attacker, add and push/commit a `.ipynb` file containing a `javascript:` link in a Markdown cell to a repository.\n\n * Example (PoC):\n\n ```json\n {\n \"nbformat\": 4,\n \"nbformat_minor\": 2,\n \"metadata\": {},\n \"cells\": [\n {\n \"cell_type\": \"markdown\",\n \"metadata\": {},\n \"source\": [\n \"[poc](javascript:alert(document.domain))\"\n ]\n }\n ]\n }\n ```\n\n2. The victim opens the file on Gogs (e.g., `///src//poc.ipynb`).\n\"image\"\n\n3. When the victim clicks the `poc` link displayed in the preview, `alert(document.domain)` is executed in the same Gogs origin.\n\"image\"\n\n# Minimum Required Privileges\n\n* **Attacker**: Ability to place a `.ipynb` file as a **regular (non-admin) user**\n\n * For example: a general user who can create a public repository and add files.\n * Or: write access (collaborator, etc.) to an existing repository that the victim will view.\n* **Victim**: Permission to view the repository (a click is required).\n\n# Impact\n\n* Unauthorized actions performed with the victim’s account privileges (e.g., repository settings changes, Issue operations,誘導 to token creation).\n* Theft of information accessible to the victim (repository/Issue/Wiki contents, tokens exposed in page context).\n* If the victim is an administrator, the impact may escalate to instance-wide configuration changes and user management.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-52798"]},"keywords":"CVE-2026-52798, high, CWE-79, Gogs Gogs","mentions":[{"@type":"SoftwareApplication","name":"Gogs","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Gogs"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-52798","item":"https://portal.vyprsec.ai/cves/CVE-2026-52798"}]}]}
← All advisories
High severityNVD Advisory· Published Jun 22, 2026

Gogs has Stored XSS in `.ipynb` Preview

CVE-2026-52798

Description

# Summary

Although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated.

As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS.

# Details

After the rendered output of a .ipynb file is sanitized via /-/api/sanitize_ipynb and inserted into the DOM, **only the Markdown cell portions are re-rendered using marked() and overwritten in the DOM**. During this process, links with the javascript: scheme can be regenerated.

templates/repo/view_file.tmpl:42–71

{{else if .IsIPythonNotebook}}

While **regular HTML pages (including .ipynb preview pages) are served without a Content Security Policy (CSP), CSP headers are applied only to attachment delivery routes**.

internal/cmd/web.go:323

c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")

# Steps to Reproduce

  1. As the attacker, add and push/commit a .ipynb file containing a javascript: link in a Markdown cell to a repository.
  • Example (PoC):
     {
       "nbformat": 4,
       "nbformat_minor": 2,
       "metadata": {},
       "cells": [
         {
           "cell_type": "markdown",
           "metadata": {},
           "source": [
             "[poc](javascript:alert(document.domain))"
           ]
         }
       ]
     }
  1. The victim opens the file on Gogs (e.g., ///src//poc.ipynb).
  1. When the victim clicks the poc link displayed in the preview, alert(document.domain) is executed in the same Gogs origin.

# Minimum Required Privileges

  • Attacker: Ability to place a .ipynb file as a regular (non-admin) user
  • For example: a general user who can create a public repository and add files.
  • Or: write access (collaborator, etc.) to an existing repository that the victim will view.
  • Victim: Permission to view the repository (a click is required).

# Impact

  • Unauthorized actions performed with the victim’s account privileges (e.g., repository settings changes, Issue operations,誘導 to token creation).
  • Theft of information accessible to the victim (repository/Issue/Wiki contents, tokens exposed in page context).
  • If the victim is an administrator, the impact may escalate to instance-wide configuration changes and user management.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gogs.io/gogsGo
< 0.14.30.14.3

Affected products

1

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.