CVE-2026-26022 Overview
CVE-2026-26022 is a stored cross-site scripting (XSS) vulnerability in Gogs, an open source self-hosted Git service. The flaw exists in the comment and issue description functionality. Gogs' HTML sanitizer explicitly allows data: URI schemes, which lets authenticated users inject arbitrary JavaScript through malicious links. When another user clicks the crafted link, the embedded script executes in their browser session. The vulnerability is tracked as [CWE-79] (Improper Neutralization of Input During Web Page Generation). Gogs version 0.14.2 fixes the issue.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victims' browsers, enabling session theft, account compromise, and unauthorized repository actions within the Gogs instance.
Affected Products
- Gogs versions prior to 0.14.2
- Self-hosted Gogs Git service deployments
- All platforms running vulnerable Gogs builds
Discovery Timeline
- 2026-03-05 - CVE-2026-26022 published to NVD
- 2026-03-06 - Last updated in NVD database
Technical Details for CVE-2026-26022
Vulnerability Analysis
The vulnerability resides in the markdown rendering pipeline that processes user-supplied content in issue descriptions and comments. Gogs applies an HTML sanitizer to strip dangerous markup before rendering, but the allowlist for URI schemes in anchor (<a href=...>) elements includes data:. This permissive configuration defeats the purpose of the sanitizer for link attributes.
An authenticated user with permission to file issues or post comments can craft a link whose href attribute uses a data:text/html URI containing JavaScript. When a victim user clicks the rendered link, the browser navigates to the data URI and executes the embedded script under the originating context. The attack requires user interaction but only standard authenticated privileges.
The impact includes session token theft, forced actions through the Gogs web interface, repository tampering, and pivoting to other authenticated users including administrators. Because issues and comments are persistent, every viewer who interacts with the malicious link becomes a target.
Root Cause
The root cause is an overly permissive HTML sanitization policy. The sanitizer's URI scheme allowlist included data: alongside expected schemes such as http and https. Data URIs can encode complete HTML documents with inline scripts, bypassing standard XSS filters that focus on <script> tags or javascript: URIs.
Attack Vector
An attacker authenticates to the Gogs instance and posts an issue or comment containing a markdown link pointing to a data:text/html URI. The URI encodes an HTML payload that runs JavaScript on load. When any user with access to the issue clicks the rendered link, the script executes in their browser. The fix in commit 441c64d7bd8893b2f4e48660a8be3a7472e14291 removes data: from the permitted URI schemes. See the GitHub Security Advisory GHSA-xrcr-gmf5-2r8j for additional technical context.
Detection Methods for CVE-2026-26022
Indicators of Compromise
- Issue or comment content containing markdown links with data: URI schemes, particularly data:text/html payloads
- Base64-encoded HTML or JavaScript fragments within anchor href attributes in stored Gogs content
- Outbound requests from user browsers to attacker-controlled endpoints originating from Gogs pages
- Unexpected authenticated API actions following a user viewing an issue or comment
Detection Strategies
- Query the Gogs database for issue and comment records containing the string data: within link markup
- Inspect web access logs for repeated views of specific issues followed by anomalous authenticated requests from the same sessions
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts on Gogs pages
- Review repository audit trails for unauthorized configuration or permission changes correlated with comment activity
Monitoring Recommendations
- Alert on creation of issues or comments containing data:text/html or data:application/javascript substrings
- Monitor for session cookie exfiltration patterns such as outbound requests carrying Gogs session identifiers to external hosts
- Track administrative account activity for unexpected actions following routine issue triage
How to Mitigate CVE-2026-26022
Immediate Actions Required
- Upgrade all Gogs instances to version 0.14.2 or later without delay
- Audit existing issues and comments for stored data: URI payloads and remove malicious content
- Invalidate active user sessions and rotate API tokens if exploitation is suspected
- Restrict issue and comment creation to trusted users on internet-exposed instances until patching completes
Patch Information
The fix is delivered in Gogs 0.14.2, available at the GitHub Release v0.14.2 page. The patch removes data: from the sanitizer's allowed URI schemes. Review the GitHub Commit Details and the associated GitHub Pull Request 8174 for code-level changes.
Workarounds
- Place Gogs behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts and data: URIs in navigations
- Limit account creation and disable public sign-ups to reduce the pool of users who can post malicious content
- Educate users to avoid clicking unexpected links inside Gogs issues and comments until the upgrade is complete
# Configuration example: enforce CSP at reverse proxy (nginx)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
