CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

CVE-2026-26195 Gogs: Stored XSS in branch and wiki views through author and committer names

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2...

PT-2026-23487

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2 Description The Gogs API accepts tokens in URL parameters, specifically token and access token. This can lead to information disclosure as these tokens may be logged, stored in browser history, or sent in referrer...