CVE-2026-52798
HighCVSS 8.9Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Gogs is an open-source Git service that prior to version 0.14.3 had a vulnerability allowing the execution of malicious JavaScript code. Although .ipynb previews were sanitized on the server side, their content was re-rendered on the client side without proper sanitization, leading to the possibility of XSS attacks.
Risk Assessment
Organizations using Gogs may be exposed to XSS attacks that could lead to data theft or session hijacking. In particular, users opening malicious .ipynb files may unknowingly execute harmful code.
Recommendation
It is recommended to update Gogs to version 0.14.3 or later to eliminate this vulnerability. Additionally, conducting a security audit of the application and educating users about potential threats related to opening files from unknown sources is advisable.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.

