GO-2026-4618 Gogs: Stored XSS in branch and wiki views through author and committer names in gogs.io/gogs

Gogs: Stored XSS in branch and wiki views through author and committer names in gogs.io/gogs...

GHSA-VGVF-M4FW-938J Gogs: Stored XSS in branch and wiki views through author and committer names

Summary Stored XSS is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data URLs. Details safe still turns off escaping: - internal/template/template.go - func saferaw string template.HTML return template.HTMLraw Branch pages...

Gogs: Stored XSS in branch and wiki views through author and committer names

Summary Stored XSS is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data URLs. Details safe still turns off escaping: - internal/template/template.go - func saferaw string template.HTML return template.HTMLraw Branch pages...

CVE-2026-26195 Gogs: Stored XSS in branch and wiki views through author and committer names

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2...

CVE-2026-26195

Gogs prior to v0.14.2 is affected by a stored XSS due to unsafe template rendering that mixes user input with a permissive sanitizer for data URLs. The issue enables stored cross-site scripting via data URLs and has been patched in v0.14.2. CVSS v4.0 base metrics indicate a MEDIUM severity (6.9) ...