Summary
Discovered a Stored Cross-Site Scripting (XSS) vulnerability in Gogs, a popular self-hosted Git service. The HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript via malicious links in issue comments and descriptions.
CVE ID: CVE-2026-26022
Advisory: GHSA-xrcr-gmf5-2r8j
CWE: CWE-79 — Improper Neutralization of Input During Web Page Generation
Affected Versions: Gogs ≤ 0.14.1
Patched Versions: None
Vulnerability Details
The vulnerability is located in internal/markup/sanitizer.go. Gogs uses the bluemonday HTML sanitizer but explicitly weakens the security policy by allowing the data URL scheme:
// internal/markup/sanitizer.go
func NewSanitizer() {
sanitizer.init.Do(func() {
// ...
// Data URLs
sanitizer.policy.AllowURLSchemes("data")
// ...
})
}
While the Markdown renderer rewrites relative links (mitigating standard Markdown [link](data:...) attacks), Gogs supports Raw HTML input. Raw HTML anchor tags bypass the Markdown parser's link rewriting and are processed directly by the sanitizer. Since the sanitizer is configured to allow data: URIs, payloads like <a href="data:text/html..."> are rendered as-is into the page.
Proof of Concept
- Create a file named
exploit.mdin a repository - Add the following Raw HTML content:
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click me for XSS</a>
The base64 payload decodes to <script>alert('XSS')</script>.
- Commit and push the file
- Navigate to the file in the Gogs web interface
- Click the "Click me for XSS" link
An alert box with "XSS" appears, confirming JavaScript execution in the victim's browser context.
Impact
- Session hijacking — steal authentication cookies and session tokens
- Account takeover — perform arbitrary actions on behalf of the victim (modifying repositories, adding collaborators, changing settings)
- Phishing — redirect users to malicious sites from a trusted Gogs instance
- Any user who views the malicious comment and clicks the link is affected