Publish GHSA-vgvf-m4fw-938j

advisory-database[bot] · advisory-database[bot] · commit b1ec9ce22082 · 2026-03-05T19:50:25.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-vgvf-m4fw-938j/GHSA-vgvf-m4fw-938j.json b/advisories/github-reviewed/2026/03/GHSA-vgvf-m4fw-938j/GHSA-vgvf-m4fw-938j.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vgvf-m4fw-938j",
+  "modified": "2026-03-05T19:48:33Z",
+  "published": "2026-03-05T19:48:33Z",
+  "aliases": [
+    "CVE-2026-26195"
+  ],
+  "summary": "Gogs: Stored XSS in branch and wiki views through author and committer names",
+  "details": "### Summary\n\nStored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs.\n\n### Details\n\n`safe()` still turns off escaping:\n- internal/template/template.go\n- `func safe(raw string) template.HTML { return template.HTML(raw) }`\n\nBranch pages still render committer names using `safe()`:\n- templates/repo/branches/overview.tmpl\n- templates/repo/branches/all.tmpl\n- templates/repo/wiki/view.tmpl\n\nThe locale still injects a raw second argument: conf/locale/locale_en-US.ini (`branches.updated_by = updated %[1]s by %[2]s`)\n\n### Impact\n\nAn attacker who can inject commit metadata such as author/committer name can trigger script execution on affected pages, leading to session abuse, CSRF token theft, or unauthorized actions.\n\n### Recommended Fix\n\n- Untrusted arguments should be escaped before being used in translations.\n- Data URLs should be limited or blocked in the sanitizer.\n\n### Remediation\nA fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "gogs.io/gogs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.13.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gogs/gogs/pull/8176"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gogs/gogs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T19:48:33Z",
+    "nvd_published_at": null
+  }
+}
