CVE-2026-26195

medium

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

References

https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j

https://github.com/gogs/gogs/releases/tag/v0.14.2

https://github.com/gogs/gogs/pull/8176

https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc

Details

Source: Mitre, NVD

Published: 2026-03-05

Updated: 2026-03-06

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00047