2 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the extensionsRequired field of glTF files processed by the 3D file viewer. An attacker can execute arbitrary JavaScript code in the context of another user by uploading a crafted glTF file containing malicio...
CVE-2026-28737
CVE-2026-28737 affects Gitea 1.25.0 and later, with a stored XSS flaw in the built-in 3D file viewer (Online3DViewer). When a GLTF file’s extensionsRequired contains an unsupported entry, the viewer emits an error message which Gitea then inserts into the DOM via unsanitized innerHTML, enabling a...