Listen to this Post
The vulnerability, identified as CVE-2026-26022, is a stored cross-site scripting (XSS) issue found in Gogs versions prior to 0.14.2. It resides in the comment and issue description functionality, specifically within the HTML sanitizer configuration in internal/markup/sanitizer.go. The application uses the `bluemonday` HTML sanitizer but explicitly weakens the security policy by allowing `data:` URI schemes using policy.AllowURLSchemes("data"). While the Markdown renderer rewrites relative links to mitigate standard Markdown-based attacks, Gogs supports raw HTML input. This allows an attacker to bypass the Markdown parser by using an HTML anchor tag, such as <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click me</a>. Because the sanitizer permits `data:` URIs, this raw HTML is not stripped. When a victim views the comment or issue description and clicks the link, the browser decodes and executes the base64-encoded JavaScript within the `data:` URI, leading to arbitrary script execution in the victim’s browser context. This attack can be carried out by any authenticated user, and the malicious payload is stored on the server, affecting any user who later views the page and interacts with the link.
dailycve form:
Platform: Gogs
Version: 0.14.1 and below
Vulnerability : Stored XSS
Severity: High
date: 03/05/2026
Prediction: Patch already available
What Undercode Say:
Analysis:
The root cause of CVE-2026-26022 is the explicit allowance of the `data:` URI scheme by the HTML sanitizer, combined with the application’s support for raw HTML in user comments. This configuration flaw allows authenticated attackers to inject arbitrary JavaScript by crafting malicious links.
Vulnerable Code Snippet (internal/markup/sanitizer.go):
// internal/markup/sanitizer.go
func NewSanitizer() {
sanitizer.init.Do(func() {
// ...
// Data URLs
sanitizer.policy.AllowURLSchemes("data")
// ...
})
}
How Exploit:
An attacker can exploit this vulnerability by creating an issue or comment containing a raw HTML anchor tag with a malicious `data:` URI. The payload is typically base64-encoded JavaScript.
Proof of Concept Payload:
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click me for XSS</a>
When a victim clicks this link, the browser decodes and executes the JavaScript, displaying an alert box with “XSS”. In a real attack, this could be replaced with code to steal session cookies or perform actions on behalf of the user.
Protection from this CVE:
The vulnerability is fixed in Gogs version 0.14.2. The patch removes the `data:` URI scheme from the allowed list in the HTML sanitizer configuration.
Update Command:
For systems installed via binary wget https://github.com/gogs/gogs/releases/download/v0.14.2/gogs_0.14.2_linux_amd64.zip unzip gogs_0.14.2_linux_amd64.zip cd gogs ./gogs web For Docker users docker pull gogs/gogs:latest docker stop <container_id> docker run --name=gogs-new -p 10022:22 -p 13000:3000 -v /var/gogs:/data gogs/gogs
Impact:
A successful exploit allows an attacker to execute arbitrary JavaScript in the context of any authenticated user who clicks the malicious link. This can lead to session hijacking, theft of authentication cookies, unauthorized repository modifications, adding collaborators, and data exfiltration. Since Gogs often hosts sensitive source code and credentials, this poses a significant risk to the integrity and confidentiality of the development environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
OpenClaw, Authentication Bypass, CVE-2026-XXXXX (Critical)
