CVE-2026-26022
📋 TL;DR
This stored XSS vulnerability in Gogs allows authenticated users to inject malicious JavaScript via data: URIs in comments and issue descriptions. The vulnerability affects all Gogs instances running versions before 0.14.2. Successful exploitation could lead to session hijacking, account takeover, or malware distribution.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator credentials, take over the Gogs instance, compromise the underlying server, and use it as a pivot point to attack internal networks.
Likely Case
Authenticated attackers inject malicious scripts that steal session cookies or credentials from other users who view the poisoned comments/issues.
If Mitigated
With proper network segmentation and least privilege access, impact is limited to the Gogs application and potentially user accounts within it.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in the HTML sanitizer logic that explicitly allows data: URIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.2
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to version 0.14.2 or later. 4. Restart the Gogs service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable user comments/issues
allTemporarily disable comment and issue creation functionality in Gogs configuration
Edit custom/conf/app.ini and set [repository] ENABLE_ISSUES = false and [repository] ENABLE_COMMENTS = false
Restrict user registration
allDisable new user registration to prevent new malicious accounts
Edit custom/conf/app.ini and set [service] DISABLE_REGISTRATION = true
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Restrict user permissions to only trusted individuals and implement strong authentication
🔍 How to Verify
Check if Vulnerable:
Check Gogs version via web interface or configuration file. Versions before 0.14.2 are vulnerable.Check Version:
grep -i version /path/to/gogs/custom/conf/app.ini or check web interface About pageVerify Fix Applied:
After updating, verify version is 0.14.2 or later and test that data: URIs in comments/issues are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual comment/issue creation patterns
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Outbound connections to suspicious domains from Gogs server
- Unusual traffic patterns to/from Gogs instance
SIEM Query:
source="gogs" AND (event="comment_created" OR event="issue_created") | stats count by user