Gogs, Stored XSS via Outdated notebookjs Library, CVE-2026-52798 (Low) -DC-Jun2026-526

By /

Listen to this Post

How CVE-2026-52798 Works

Gogs, a self-hosted Git service, incorporates the `jsvine/notebookjs` library to render Jupyter notebook (.ipynb) files for user preview. The specific version bundled with Gogs is 0.4.2, which is significantly outdated. The latest version of `notebookjs` is 0.8.3, and its release notes indicate multiple patches for cross-site scripting (XSS) vulnerabilities.
The vulnerability exists because the outdated `notebookjs` library does not properly sanitize user-supplied content when rendering `.ipynb` files. An attacker can create a malicious `.ipynb` file containing a specially crafted Markdown cell. When this file is viewed in Gogs, the Markdown is rendered, and the embedded JavaScript executes in the context of the victim’s browser.
The proof of concept demonstrates this by using an `` tag with an `onerror` attribute that triggers a JavaScript alert. More critically, the vulnerability can also be exploited through Markdown links using `javascript:` URIs, which bypasses the sanitizer. This allows an attacker to execute arbitrary JavaScript within the Gogs origin.
The attack requires user interaction, such as the victim clicking a rendered link within the notebook preview. Once the malicious script executes, it can perform actions on behalf of the victim, potentially leading to account takeover. The issue is classified as a stored XSS because the payload is permanently saved within the repository.
The vulnerable code can be traced to the Gogs template file templates/base/head.tmpl, which includes the outdated `notebookjs` library. This inclusion makes all instances of Gogs using this version susceptible to the flaw.

DailyCVE Form

Platform: Gogs
Version: ≤ 0.14.2
Vulnerability: Stored XSS
Severity: Low
date: 2026-06-19

Prediction: Patch released 2026-06-07

What Undercode Say: Analytics

The vulnerability stems from the use of an outdated third-party library. The following commands and code snippets are relevant to understanding and identifying this issue.

Check Gogs Version:

Check the version of a running Gogs instance
curl -s http://<gogs-instance>/api/v1/version | jq .

Locate the Vulnerable Library Inclusion:

The vulnerable library is included in the `head.tmpl` template file.

Search for the notebookjs inclusion in the Gogs source code
grep -r "notebookjs" templates/base/head.tmpl

Examine the Bundled `notebookjs` Version:

The version can be identified by checking the file within the Gogs installation.

Check the version of notebookjs in the public directory
head -n 5 public/plugins/notebookjs/notebook.js

Exploit

An attacker can exploit this vulnerability by following these steps:
1. Create a new repository on the target Gogs instance.
2. Create a file named `xss.ipynb` within the repository.
3. Insert the following JSON payload into the file:

{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}

4. Save the file.

  1. When any user views the file, the XSS payload will execute, displaying an alert with the origin.

Protection

To protect against CVE-2026-52798:

  1. Upgrade Gogs: The most effective protection is to upgrade to Gogs version 0.14.3 or later. This release includes a fix for the Stored XSS in Jupyter notebook previews.
  2. Update notebookjs: If upgrading is not immediately possible, manually update the `notebookjs` library within the Gogs installation to version 0.8.3 or later, which contains the necessary security patches.
  3. Disable `.ipynb` Previews: As a temporary workaround, disable the preview feature for Jupyter notebook files if the application configuration allows it.
  4. Security Header: Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and `javascript:` URIs, mitigating the impact of an XSS attack.

Impact

The impact of this vulnerability is significant:

  • Account Takeover: An attacker can execute arbitrary JavaScript in the context of a victim’s session. This allows the attacker to steal session cookies, perform actions on behalf of the user (e.g., create new repositories, modify code, change settings), and potentially gain full control of the victim’s account.
  • Data Theft: The malicious script can access any data visible to the victim within the Gogs application, including source code, repository contents, and user information.
  • Privilege Escalation: If a user with administrative privileges views the malicious file, the attacker could potentially escalate their privileges within the Gogs instance.
  • Reputation Damage: Successful exploitation can lead to a loss of trust in the Gogs instance and its administrators, especially if sensitive data is compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top