CVE Catalog

CVE-2026-52798

HighCVSS 8.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

Gogs is an open-source Git service that prior to version 0.14.3 had a vulnerability allowing the execution of malicious JavaScript code. Although .ipynb previews were sanitized on the server side, their content was re-rendered on the client side without proper sanitization, leading to the possibility of XSS attacks.

Risk Assessment

Organizations using Gogs may be exposed to XSS attacks that could lead to data theft or session hijacking. In particular, users opening malicious .ipynb files may unknowingly execute harmful code.

Recommendation

It is recommended to update Gogs to version 0.14.3 or later to eliminate this vulnerability. Additionally, conducting a security audit of the application and educating users about potential threats related to opening files from unknown sources is advisable.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS