CVE-2026-26276
HIGHGogs < 0.14.2 - Stored Cross-Site Scripting via Milestone Name
Title source: llmDescription
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c
Issue Tracking x_refsource_misc
https://github.com/gogs/gogs/pull/8178
Release Notes x_refsource_misc
https://github.com/gogs/gogs/releases/tag/v0.14.2
Scores
CVSS v3
7.3
EPSS
0.0018
EPSS Percentile
8.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
gogs/gogs
< 0.14.2
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026