8 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...
CVE-2026-28737
Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer...
CVE-2026-28737
Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer...
CVE-2026-28737
CVE-2026-28737 affects Gitea 1.25.0 and later, with a stored XSS flaw in the built-in 3D file viewer (Online3DViewer). When a GLTF file’s extensionsRequired contains an unsupported entry, the viewer emits an error message which Gitea then inserts into the DOM via unsanitized innerHTML, enabling a...
GO-2026-5286 Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer in code.gitea.io/gitea
Gitea: Stored XSS via glTF extensionsRequired in Gitea 3D File Viewer in code.gitea.io/gitea...
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
Summary Me again. Gitea's built-in 3D file viewer powered by Online3DViewer is vulnerable to stored cross-site scripting XSS through crafted .gltf files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea...
PT-2026-50586
Name of the Vulnerable Software and Affected Versions Gitea versions 1.25.0 and later Description Gitea is subject to stored cross-site scripting XSS through the built-in 3D file viewer, which utilizes the Online3DViewer library. The issue occurs when a .gltf file contains an unsupported extensio...