Listen to this Post
Vulnerability Deep Dive: How CVE-2026-52807 Works
This vulnerability is a classic case of an incomplete patch leading to a stored DOM-based Cross-Site Scripting (XSS) attack. The root cause lies in the interaction between Go’s template auto-escaping, the browser’s DOM parsing, and the default behavior of the Semantic UI dropdown component.
The story begins with a previous security advisory, GHSA-vgjm-2cpf-4g7c, which addressed a DOM-based XSS vulnerability in the milestone selection feature. The original fix was applied to the `view_content.tmpl` template by adding a `| Sanitize` filter, which uses the bluemonday library to strip out any dangerous HTML tags. This successfully mitigated the issue on pages that display issue content.
However, the patch was not applied to the `new_form.tmpl` template, which is responsible for rendering the “New Issue” page. On this page, milestone names are rendered using Go’s default auto-escaping mechanism, {{.Name}}. This converts any special characters into their HTML entities. For example, a `<` character becomes <. This is a standard and effective defense against direct HTML injection, as it prevents an attacker from simply inserting raw HTML into the page.
The critical flaw emerges when the browser renders this seemingly safe, escaped text. The browser correctly displays the text content of the element as the decoded original payload (e.g., <img src=x onerror=alert(1)>). At this point, the payload is still just text and is harmless.
The danger is triggered when a user interacts with the milestone dropdown. This dropdown is powered by Semantic UI version 2.4.2, which has a default setting of preserveHTML: true. When a user selects an item from the dropdown, the internal `set.text()` method is called. This method uses jQuery’s `.html()` function to set the content of the selected element. Critically, it passes the decoded text content of the dropdown item to .html(). This forces the browser to re-parse the previously harmless text as HTML. The malicious payload is now re-introduced into the DOM, and the JavaScript event handler (like onerror) is executed in the context of the victim’s browser session.
An attacker with write access to a repository can create a milestone with a malicious name containing an XSS payload. Any other user who then visits the “New Issue” page and interacts with the milestone dropdown will trigger the payload. This can lead to session hijacking, CSRF token theft, and performing actions with the victim’s privileges.
DailyCVE Form
Platform: Gogs / Gitea
Version: < 0.14.2 (Gogs) / < 1.22.0 (Gitea)
Vulnerability: DOM-Based XSS
Severity: High (7.3 CVSS)
date: 2026-03-05
Prediction: 2026-03-10
What Undercode Say: Analytics
The vulnerability is a stored DOM-based XSS, meaning the malicious payload is stored on the server (in the milestone name) and executed in the client’s browser. The attack vector is the milestone dropdown on the new issue page (/issues/new).
Proof of Concept (PoC)
- As an attacker with write access, create a new milestone with the following name:
<img src=x onerror=alert('XSS')> - As a victim, navigate to the `/issues/new` page of the same repository.
- Click on the milestone dropdown to select a milestone.
- The JavaScript payload will execute, displaying an alert box.
Exploitation Vectors
An attacker can leverage this vulnerability for various malicious activities:
Session Hijacking: Steal the victim’s session cookies by executing `document.cookie` and exfiltrating the data to an attacker-controlled server.
CSRF Token Theft: Extract CSRF tokens from the page and use them to perform state-changing requests (e.g., creating new issues, modifying repository settings) on behalf of the victim.
Privilege Escalation: If the victim has administrative privileges, the attacker can perform actions to escalate their own privileges or compromise the entire instance.
Protection & Mitigation
Upgrade: The primary and most effective mitigation is to upgrade to a patched version.
For Gogs, upgrade to version 0.14.2 or later.
For Gitea, upgrade to version 1.22.0 or later.
Backporting the Fix: If an immediate upgrade is not possible, the fix can be backported. This involves applying the `| Sanitize` filter to the milestone name rendering in the `templates/repo/issue/new_form.tmpl` template, similar to how it was done in view_content.tmpl.
Disable JavaScript (Not Recommended): As a temporary measure, users could disable JavaScript in their browser to prevent the execution of the payload. However, this will break most of the application’s functionality and is not a practical long-term solution.
Impact
Stored DOM XSS: Any user with write access can plant a persistent XSS payload. Any other user visiting the new issue page and interacting with the dropdown will be affected.
Session Hijacking: Attackers can steal session cookies and impersonate victims.
Privilege Escalation: Attackers can perform actions with the victim’s permissions, potentially leading to full account takeover or repository compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
