CVE Catalog
CVE-2026-28737
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk0.34%
26th percentile — higher than 26% of all known CVEs
Summary
A stored cross-site scripting vulnerability in Gitea allows attackers to inject malicious scripts via the extensionsRequired field in glTF files rendered by the 3D file viewer. Affects versions from 1.25.0 before 1.26.0.
Risk Assessment
An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, repository modification, or data theft.
Recommendation
Upgrade Gitea to version 1.26.0 or later immediately to mitigate the vulnerability.
Original NVD description (English source)
Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

