Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/pull/8176
https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc
Published: 2026-03-05
Updated: 2026-03-06
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
Severity: Medium
Base Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00047