CVE-2026-26195 Overview
CVE-2026-26195 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Gogs, an open source self-hosted Git service. The vulnerability exists in versions prior to 0.14.2 and stems from unsafe template rendering that improperly mixes user input with the Safe template function, combined with permissive sanitizer handling of data URLs. This allows attackers to inject and persist malicious scripts that execute in the browsers of other users viewing affected pages.
Critical Impact
Stored XSS vulnerabilities enable attackers to persistently inject malicious JavaScript into the application, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, and further compromise of the Git service infrastructure.
Affected Products
- Gogs versions prior to 0.14.2
- Self-hosted Gogs Git service installations
Discovery Timeline
- 2026-03-05 - CVE-2026-26195 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-26195
Vulnerability Analysis
This Stored XSS vulnerability arises from a dangerous combination of unsafe template rendering practices in Gogs. The application uses Go's template engine with the Safe function, which marks content as trusted HTML and bypasses escaping. When user-controlled input, such as committer names, is passed through locale translation strings and then piped through Safe, the content is rendered without proper sanitization.
The vulnerability is particularly concerning because it affects the branch view templates where commit information is displayed. Attackers can craft malicious committer names containing JavaScript payloads that are stored in Git commits. When other users browse the branches page, the malicious script executes in their browser context.
Root Cause
The root cause is the improper handling of user-controlled data in template rendering. Specifically, the templates repo/branches/all.tmpl and repo/branches/overview.tmpl passed the .Commit.Committer.Name field directly into locale strings that were subsequently piped through the Safe function. Since Safe marks content as trusted HTML, any malicious content in the committer name would be rendered without escaping, enabling XSS attacks.
Attack Vector
The attack vector is network-based and requires no authentication to exploit. An attacker can create a Git commit with a specially crafted committer name containing JavaScript payload. When this commit is pushed to a Gogs repository, the malicious script becomes permanently stored. Any user who subsequently views the branches page will have the malicious JavaScript execute in their browser session.
The attack leverages data URLs and the permissive sanitizer to bypass initial input filtering. The stored nature of this XSS means the attack persists across sessions and affects all users who view the compromised pages.
<div class="ui eleven wide column">
{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
- <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+ <span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
</div>
<div class="ui four wide column">
{{if and (and (eq $.BranchName .Name) $.IsRepositoryAdmin) (not $.Repository.IsMirror)}}
Source: GitHub Commit Details
Detection Methods for CVE-2026-26195
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in Git commit author/committer names
- Browser console errors indicating blocked inline scripts (if CSP is enabled)
- Reports from users of unexpected behavior or pop-ups when viewing repository branches
- Log entries showing commits with suspicious committer metadata
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor for unusual patterns in Git commit metadata, particularly in committer and author name fields
- Deploy web application firewalls (WAF) with XSS detection rules
- Conduct regular security audits of repository commit history for suspicious entries
Monitoring Recommendations
- Enable browser-level XSS auditing and logging where available
- Monitor application logs for unusual template rendering errors
- Set up alerting for CSP violation reports
- Regularly review access logs for patterns indicating credential theft or session hijacking attempts
How to Mitigate CVE-2026-26195
Immediate Actions Required
- Upgrade Gogs to version 0.14.2 or later immediately
- Audit existing repositories for commits containing potentially malicious committer names
- Implement Content Security Policy headers to mitigate impact of any unpatched instances
- Review session logs for signs of potential compromise
Patch Information
The vulnerability has been patched in Gogs version 0.14.2. The fix introduces proper sanitization of user-controlled data before it is passed through the Safe template function. Specifically, the Sanitize function is now applied to committer names before they are included in locale strings.
Details of the fix can be found in:
Workarounds
- Deploy a reverse proxy with XSS filtering capabilities in front of Gogs
- Implement strict Content Security Policy headers to block inline script execution
- Restrict repository write access to trusted users only until patching is complete
- Consider temporarily disabling public access to branch viewing pages if immediate patching is not possible
# Example Content Security Policy header configuration for nginx
# Add to your Gogs server block as a temporary mitigation
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
