CVE-2026-52807 (GCVE-0-2026-52807)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:25 – Updated: 2026-06-24 20:25
VLAI
Title
Gogs: DOM-based XSS via Milestone Name on New Issue Page
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8325 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/573eacdc65864… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go\u0027s default auto-escaping ({{.Name}}), which converts \u003c to \u0026lt; etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2\u0027s dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery\u0027s .html() with the item\u0027s text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI\u0027s preserveHTML behavior. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:25:49.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp"
},
{
"name": "https://github.com/gogs/gogs/pull/8325",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8325"
},
{
"name": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-vcm5-gvmp-78mp",
"discovery": "UNKNOWN"
},
"title": "Gogs: DOM-based XSS via Milestone Name on New Issue Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52807",
"datePublished": "2026-06-24T20:25:49.230Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:25:49.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-VCM5-GVMP-78MP
Vulnerability from github – Published: 2026-06-23 17:02 – Updated: 2026-06-23 17:02
VLAI
Summary
Gogs has DOM-based XSS via Milestone Name on New Issue Page
Details
Summary
The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.
Details
GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.
In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).
Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.
PoC
poc.zip Please extract the uploaded compressed file before proceeding
- docker compose up --build
Impact
- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.
- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52807"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T17:02:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI\u0027s `preserveHTML` behavior.\n\n### Details\nGHSA-vgjm-2cpf-4g7c was patched by adding `| Sanitize` (bluemonday HTML tag stripping) to milestone name rendering in `view_content.tmpl`. However, the same milestone dropdown exists in `new_form.tmpl` and was **not** patched.\n\nIn `new_form.tmpl`, milestone names are rendered with Go\u0027s default auto-escaping (`{{.Name}}`), which converts `\u003c` to `\u0026lt;` etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the **decoded** original payload (e.g., `\u003cimg src=x onerror=alert(1)\u003e`).\n\nSemantic UI 2.4.2\u0027s dropdown component has `preserveHTML: true` as the default setting. When a user selects a dropdown item, the internal `set.text()` method calls jQuery\u0027s `.html()` with the item\u0027s text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26508268/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker compose up --build\n\n\u003cimg width=\"1325\" height=\"315\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-06 \u110b\u1169\u1112\u116e 9 34 05\" src=\"https://github.com/user-attachments/assets/87895cce-5b8e-4320-829a-87a5890cc0d9\" /\u003e\n\n### Impact\n- Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.\n- Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.",
"id": "GHSA-vcm5-gvmp-78mp",
"modified": "2026-06-23T17:02:52Z",
"published": "2026-06-23T17:02:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/8325"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Gogs has DOM-based XSS via Milestone Name on New Issue Page"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…