VDB
CVE-2026-26195
CVE-2026-26195
PUBLISHED
CVSS 6.900000095367432 MEDIUM
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
EPSS 0.04% · 12.5th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.04%
12.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| gogs | gogs | < 0.14.2, 0, < 0.14.2 |
| gogs.io | gogs | 0, 0 |
Timeline
- Mar 5, 2026 CVE Published
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Security Advisory
References
- https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j url
- https://github.com/gogs/gogs/pull/8176 url
- https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc url
- https://github.com/gogs/gogs/releases/tag/v0.14.2 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-26195 advisory
- https://github.com/gogs/gogs package