CVE-2026-52798 (GCVE-0-2026-52798)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:14 – Updated: 2026-06-25 17:15
VLAI
Title
Gogs: Stored XSS in `.ipynb` Preview
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.
Severity
8.9 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8319 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/17b168b11ca75… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-52798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T17:14:47.335180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T17:15:43.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:14:13.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw"
},
{
"name": "https://github.com/gogs/gogs/pull/8319",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8319"
},
{
"name": "https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-jq8v-rmf6-65jw",
"discovery": "UNKNOWN"
},
"title": "Gogs: Stored XSS in `.ipynb` Preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52798",
"datePublished": "2026-06-24T20:14:13.965Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-25T17:15:43.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-52798",
"date": "2026-06-27",
"epss": "0.00429",
"percentile": "0.34416"
},
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Gogs: Stored XSS in `.ipynb` Preview\", \"source\": {\"advisory\": \"GHSA-jq8v-rmf6-65jw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw\", \"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/8319\", \"name\": \"https://github.com/gogs/gogs/pull/8319\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785\", \"name\": \"https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"name\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-24T20:14:13.965Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-52798\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T17:14:47.335180Z\"}}}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-25T17:15:38.246Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-52798\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T20:14:13.965Z\", \"dateReserved\": \"2026-06-08T18:02:19.731Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-24T20:14:13.965Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-JQ8V-RMF6-65JW
Vulnerability from github – Published: 2026-06-22 23:58 – Updated: 2026-06-22 23:58
VLAI
Summary
Gogs has Stored XSS in `.ipynb` Preview
Details
Summary
Although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated.
As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS.
Details
After the rendered output of a .ipynb file is sanitized via /-/api/sanitize_ipynb and inserted into the DOM, only the Markdown cell portions are re-rendered using marked() and overwritten in the DOM. During this process, links with the javascript: scheme can be regenerated.
templates/repo/view_file.tmpl:42–71
{{else if .IsIPythonNotebook}}
<script>
$.getJSON("{{.RawFileLink}}", null, function(notebook_json) {
var notebook = nb.parse(notebook_json);
var rendered = notebook.render();
$.ajax({
type: "POST",
url: '{{AppSubURL}}/-/api/sanitize_ipynb',
data: rendered.outerHTML,
processData: false,
contentType: false,
}).done(function(data) {
$("#ipython-notebook").append(data);
$("#ipython-notebook code").each(function(i, block) {
$(block).addClass("py").addClass("python");
hljs.highlightBlock(block);
});
// Overwrite image method to append proper prefix to the source URL
var renderer = new marked.Renderer();
var context = '{{.RawFileLink}}';
context = context.substring(0, context.lastIndexOf("/"));
renderer.image = function (href, title, text) {
return `<img src="${context}/${href}"`
};
$("#ipython-notebook .nb-markdown-cell").each(function(i, markdown) {
$(markdown).html(marked($(markdown).html(), {renderer: renderer}));
});
});
});
</script>
While regular HTML pages (including .ipynb preview pages) are served without a Content Security Policy (CSP), CSP headers are applied only to attachment delivery routes.
internal/cmd/web.go:323
c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
Steps to Reproduce
-
As the attacker, add and push/commit a
.ipynbfile containing ajavascript:link in a Markdown cell to a repository. -
Example (PoC):
json { "nbformat": 4, "nbformat_minor": 2, "metadata": {}, "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "[poc](javascript:alert(document.domain))" ] } ] } -
The victim opens the file on Gogs (e.g.,
/<user>/<repo>/src/<branch>/poc.ipynb). -
When the victim clicks the
poclink displayed in the preview,alert(document.domain)is executed in the same Gogs origin.
Minimum Required Privileges
-
Attacker: Ability to place a
.ipynbfile as a regular (non-admin) user -
For example: a general user who can create a public repository and add files.
- Or: write access (collaborator, etc.) to an existing repository that the victim will view.
- Victim: Permission to view the repository (a click is required).
Impact
- Unauthorized actions performed with the victim’s account privileges (e.g., repository settings changes, Issue operations,誘導 to token creation).
- Theft of information accessible to the victim (repository/Issue/Wiki contents, tokens exposed in page context).
- If the victim is an administrator, the impact may escalate to instance-wide configuration changes and user management.
Severity
8.9 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.14.2"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52798"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T23:58:46Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Summary\n\nAlthough `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links containing schemes such as `javascript:` can be regenerated.\n\nAs a result, when a victim views an attacker-crafted `.ipynb` file and clicks the link, **arbitrary JavaScript is executed in the Gogs origin**, leading to a click-based Stored XSS.\n\n# Details\n\nAfter the rendered output of a `.ipynb` file is sanitized via `/-/api/sanitize_ipynb` and inserted into the DOM, **only the Markdown cell portions are re-rendered using `marked()` and overwritten in the DOM**. During this process, links with the `javascript:` scheme can be regenerated.\n\n`templates/repo/view_file.tmpl:42\u201371`\n\n```html\n{{else if .IsIPythonNotebook}}\n \u003cscript\u003e\n $.getJSON(\"{{.RawFileLink}}\", null, function(notebook_json) {\n var notebook = nb.parse(notebook_json);\n var rendered = notebook.render();\n $.ajax({\n type: \"POST\",\n url: \u0027{{AppSubURL}}/-/api/sanitize_ipynb\u0027,\n data: rendered.outerHTML,\n processData: false,\n contentType: false,\n }).done(function(data) {\n $(\"#ipython-notebook\").append(data);\n $(\"#ipython-notebook code\").each(function(i, block) {\n $(block).addClass(\"py\").addClass(\"python\");\n hljs.highlightBlock(block);\n });\n\n // Overwrite image method to append proper prefix to the source URL\n var renderer = new marked.Renderer();\n var context = \u0027{{.RawFileLink}}\u0027;\n context = context.substring(0, context.lastIndexOf(\"/\"));\n renderer.image = function (href, title, text) {\n return `\u003cimg src=\"${context}/${href}\"`\n };\n $(\"#ipython-notebook .nb-markdown-cell\").each(function(i, markdown) {\n $(markdown).html(marked($(markdown).html(), {renderer: renderer}));\n });\n });\n });\n \u003c/script\u003e\n```\n\nWhile **regular HTML pages (including `.ipynb` preview pages)** are served **without a Content Security Policy (CSP)**, CSP headers are applied **only to attachment delivery routes**.\n\n`internal/cmd/web.go:323`\n\n```go\nc.Header().Set(\"Content-Security-Policy\", \"default-src \u0027none\u0027; style-src \u0027unsafe-inline\u0027; sandbox\")\n```\n\n\n# Steps to Reproduce\n\n1. As the attacker, add and push/commit a `.ipynb` file containing a `javascript:` link in a Markdown cell to a repository.\n\n * Example (PoC):\n\n ```json\n {\n \"nbformat\": 4,\n \"nbformat_minor\": 2,\n \"metadata\": {},\n \"cells\": [\n {\n \"cell_type\": \"markdown\",\n \"metadata\": {},\n \"source\": [\n \"[poc](javascript:alert(document.domain))\"\n ]\n }\n ]\n }\n ```\n\n2. The victim opens the file on Gogs (e.g., `/\u003cuser\u003e/\u003crepo\u003e/src/\u003cbranch\u003e/poc.ipynb`).\n\u003cimg width=\"2386\" height=\"1218\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b0d93fd8-c5ca-4058-8af0-98dee590d3ad\" /\u003e\n\n3. When the victim clicks the `poc` link displayed in the preview, `alert(document.domain)` is executed in the same Gogs origin.\n\u003cimg width=\"2390\" height=\"1388\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0eb6ebe8-632c-4a41-8a11-46471514b4c4\" /\u003e\n\n# Minimum Required Privileges\n\n* **Attacker**: Ability to place a `.ipynb` file as a **regular (non-admin) user**\n\n * For example: a general user who can create a public repository and add files.\n * Or: write access (collaborator, etc.) to an existing repository that the victim will view.\n* **Victim**: Permission to view the repository (a click is required).\n\n# Impact\n\n* Unauthorized actions performed with the victim\u2019s account privileges (e.g., repository settings changes, Issue operations,\u8a98\u5c0e to token creation).\n* Theft of information accessible to the victim (repository/Issue/Wiki contents, tokens exposed in page context).\n* If the victim is an administrator, the impact may escalate to instance-wide configuration changes and user management.",
"id": "GHSA-jq8v-rmf6-65jw",
"modified": "2026-06-22T23:58:46Z",
"published": "2026-06-22T23:58:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8319"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Gogs has Stored XSS in `.ipynb` Preview"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…