CVE-2026-26195

CVSS

No CVSS.

ogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

References

Link	Resource
https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc
https://github.com/gogs/gogs/pull/8176
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j

Configurations

No configuration.

History

05 Mar 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 19:16

Updated : 2026-03-05 19:38

NVD link : CVE-2026-26195

Mitre link : CVE-2026-26195

CVE.ORG link : CVE-2026-26195

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-26195", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T19:16:03.900", "references": [{"url": "https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc", "source": "[email protected]"}, {"url": "https://github.com/gogs/gogs/pull/8176", "source": "[email protected]"}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "source": "[email protected]"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2."}], "lastModified": "2026-03-05T19:38:33.877", "sourceIdentifier": "[email protected]"}

CVE-2026-26195

JSON object

Attach tags to CVE-2026-26195

Attach tags to `CVE-2026-26195`