Vulnerability-Lookup

CVE-2026-52816 (GCVE-0-2026-52816)

Vulnerability from cvelistv5 – Published: 2026-06-24 20:26 – Updated: 2026-06-24 20:26

Title

Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS

Summary

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/gogs/gogs/security/advisories/…	x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8326	x_refsource_MISC
https://github.com/gogs/gogs/commit/dd1bd9837aa19…	x_refsource_MISC
https://github.com/gogs/gogs/releases/tag/v0.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
gogs	gogs	Affected: < 0.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes(\"data\") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T20:26:34.151Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8326",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8326"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3"
        },
        {
          "name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-3w28-36p9-w929",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52816",
    "datePublished": "2026-06-24T20:26:34.151Z",
    "dateReserved": "2026-06-08T18:11:06.660Z",
    "dateUpdated": "2026-06-24T20:26:34.151Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-3W28-36P9-W929

Vulnerability from github – Published: 2026-06-23 17:33 – Updated: 2026-06-23 17:33

Summary

Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS

Details

Summary

The Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability.

Severity

High

Affected Versions

All versions using the vulnerable endpoint

Vulnerability Details

CVE ID: (To be assigned)
Entry Point: POST /-/api/sanitize_ipynb
Attack Vector: Network
Authentication Required: No (only needs a registered user account)

Impact

An attacker with a registered user account can:

Send malicious HTML containing data:text/html URIs to the sanitization endpoint
Receive sanitized but attacker-controlled HTML in the response
Execute arbitrary JavaScript in the attacker's browser context through XSS
Potentially exploit other users if the sanitized output is rendered in their context

The vulnerability has higher severity because:

No authentication required (only needs a registered user account)
Unlike the safer pattern in internal/markup/sanitizer.go:39 which uses isSafeDataURI to only allow safe image MIME types, this endpoint allows ALL data URIs including HTML
The returned HTML can be used to craft XSS attacks

Proof of Concept

Attacker sends a POST request to the sanitization endpoint:

POST /-/api/sanitize_ipynb HTTP/1.1
Host: target.gogs.instance
Content-Type: text/plain

<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>

The server returns the sanitized HTML with the data URI preserved:

<a href="data:text/html,<script>alert(document.cookie)</script>">click</a>

When this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS.

Affected Component

File: internal/app/api.go:10-16

func ipynbSanitizer() *bluemonday.Policy {
    p := bluemonday.UGCPolicy()
    p.AllowAttrs("class", "data-prompt-number").OnElements("div")
    p.AllowAttrs("class").OnElements("img")
    p.AllowURLSchemes("data")  // <-- VULNERABLE: allows all data URIs
    return p
}

File: cmd/gogs/web.go:681-683 - No authentication middleware

m.Group("/-", func() {
    m.Get("/metrics", app.MetricsFilter(), promhttp.Handler())
    m.Group("/api", func() {
        m.Post("/sanitize_ipynb", app.SanitizeIpynb())  // <-- No auth middleware
    })
})

Root Cause

Unrestricted data URI scheme: The code at internal/app/api.go:14 uses p.AllowURLSchemes("data") without any restriction, unlike the safer implementation in internal/markup/sanitizer.go:39 which uses AllowURLSchemeWithCustomPolicy("data", isSafeDataURI) to only allow safe image MIME types.
No authentication: The endpoint at cmd/gogs/web.go:682 does not have any authentication middleware applied, making it accessible to any registered user.
Insufficient validation: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing data:text/html payloads to pass through.

Suggested Fix

Option 1: Use the same safe pattern as internal/markup/sanitizer.go

Replace p.AllowURLSchemes("data") with:

p.AllowURLSchemeWithCustomPolicy("data", isSafeDataURI)

Where isSafeDataURI is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.).

Option 2: Add authentication middleware

Apply appropriate authentication to the endpoint:

m.Post("/sanitize_ipynb", middleware.signIn, app.SanitizeIpynb())

Option 3: Disable data URI scheme entirely

If data URIs are not required for ipynb sanitization:

// Remove this line entirely:
// p.AllowURLSchemes("data")

Severity

5.4 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:33:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes(\"data\")` which permits all data URI schemes including `data:text/html`, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability.\n\n## Severity\n\n**High**\n\n## Affected Versions\n\nAll versions using the vulnerable endpoint\n\n## Vulnerability Details\n\n- **CVE ID**: (To be assigned)\n- **Entry Point**: `POST /-/api/sanitize_ipynb`\n- **Attack Vector**: Network\n- **Authentication Required**: No (only needs a registered user account)\n\n## Impact\n\nAn attacker with a registered user account can:\n\n- Send malicious HTML containing `data:text/html` URIs to the sanitization endpoint\n- Receive sanitized but attacker-controlled HTML in the response\n- Execute arbitrary JavaScript in the attacker\u0027s browser context through XSS\n- Potentially exploit other users if the sanitized output is rendered in their context\n\nThe vulnerability has higher severity because:\n\n1. No authentication required (only needs a registered user account)\n2. Unlike the safer pattern in `internal/markup/sanitizer.go:39` which uses `isSafeDataURI` to only allow safe image MIME types, this endpoint allows ALL data URIs including HTML\n3. The returned HTML can be used to craft XSS attacks\n\n## Proof of Concept\n\nAttacker sends a POST request to the sanitization endpoint:\n\n```http\nPOST /-/api/sanitize_ipynb HTTP/1.1\nHost: target.gogs.instance\nContent-Type: text/plain\n\n\u003ca href=\"data:text/html,\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003eclick\u003c/a\u003e\n```\n\nThe server returns the sanitized HTML with the data URI preserved:\n\n```html\n\u003ca href=\"data:text/html,\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003eclick\u003c/a\u003e\n```\n\nWhen this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS.\n\n## Affected Component\n\n**File**: `internal/app/api.go:10-16`\n\n```go\nfunc ipynbSanitizer() *bluemonday.Policy {\n\tp := bluemonday.UGCPolicy()\n\tp.AllowAttrs(\"class\", \"data-prompt-number\").OnElements(\"div\")\n\tp.AllowAttrs(\"class\").OnElements(\"img\")\n\tp.AllowURLSchemes(\"data\")  // \u003c-- VULNERABLE: allows all data URIs\n\treturn p\n}\n```\n\n**File**: `cmd/gogs/web.go:681-683` - No authentication middleware\n\n```go\nm.Group(\"/-\", func() {\n\tm.Get(\"/metrics\", app.MetricsFilter(), promhttp.Handler())\n\tm.Group(\"/api\", func() {\n\t\tm.Post(\"/sanitize_ipynb\", app.SanitizeIpynb())  // \u003c-- No auth middleware\n\t})\n})\n```\n\n## Root Cause\n\n1. **Unrestricted data URI scheme**: The code at `internal/app/api.go:14` uses `p.AllowURLSchemes(\"data\")` without any restriction, unlike the safer implementation in `internal/markup/sanitizer.go:39` which uses `AllowURLSchemeWithCustomPolicy(\"data\", isSafeDataURI)` to only allow safe image MIME types.\n\n2. **No authentication**: The endpoint at `cmd/gogs/web.go:682` does not have any authentication middleware applied, making it accessible to any registered user.\n\n3. **Insufficient validation**: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing `data:text/html` payloads to pass through.\n\n## Suggested Fix\n\n**Option 1**: Use the same safe pattern as `internal/markup/sanitizer.go`\n\nReplace `p.AllowURLSchemes(\"data\")` with:\n\n```go\np.AllowURLSchemeWithCustomPolicy(\"data\", isSafeDataURI)\n```\n\nWhere `isSafeDataURI` is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.).\n\n**Option 2**: Add authentication middleware\n\nApply appropriate authentication to the endpoint:\n\n```go\nm.Post(\"/sanitize_ipynb\", middleware.signIn, app.SanitizeIpynb())\n```\n\n**Option 3**: Disable data URI scheme entirely\n\nIf data URIs are not required for ipynb sanitization:\n\n```go\n// Remove this line entirely:\n// p.AllowURLSchemes(\"data\")\n```",
  "id": "GHSA-3w28-36p9-w929",
  "modified": "2026-06-23T17:33:32Z",
  "published": "2026-06-23T17:33:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8326"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs\u0027s Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-52816 (GCVE-0-2026-52816)

GHSA-3W28-36P9-W929

Summary

Severity

Affected Versions

Vulnerability Details

Impact

Proof of Concept

Affected Component

Root Cause

Suggested Fix

Tags

Sightings

Nomenclature