CVE-2026-28737 Overview
CVE-2026-28737 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Gitea, an open-source self-hosted Git service. The flaw affects Gitea versions from 1.25.0 before 1.26.0. Attackers can inject malicious script content through the extensionsRequired field in glTF (GL Transmission Format) files. When a victim views the file in Gitea's built-in 3D file viewer, the payload executes in the browser context.
Critical Impact
Authenticated attackers can commit crafted glTF files to trigger script execution against any user rendering the 3D viewer, enabling session hijacking, credential theft, and repository tampering under the victim's identity.
Affected Products
- Gitea 1.25.0
- Gitea versions after 1.25.0 and before 1.26.0
- Self-hosted Gitea instances with 3D file viewer enabled
Discovery Timeline
- 2026-07-03 - CVE-2026-28737 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-28737
Vulnerability Analysis
Gitea includes a 3D file viewer that renders glTF assets stored in repositories. The viewer parses metadata fields from the glTF JSON structure and injects values into the rendered page without sufficient output encoding. The extensionsRequired field, which normally lists glTF extensions needed to load the asset, becomes an injection point.
An authenticated user with write access to any repository can commit a glTF file containing script payloads inside extensionsRequired. Any user who navigates to the file view triggers the payload. Because the script executes within the Gitea origin, it can access session cookies, invoke authenticated API endpoints, and modify repositories on behalf of the victim.
The scope-changed impact reflects that a lower-privileged attacker can affect resources belonging to higher-privileged users, including administrators. User interaction is required because the victim must open the malicious file view.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The 3D viewer template renders glTF metadata fields directly into the DOM without HTML-escaping or safe attribute quoting. Field values controlled by the file author reach the rendered page as executable content.
Attack Vector
Exploitation follows this path:
- The attacker crafts a glTF file with a malicious payload embedded in the extensionsRequired array.
- The attacker commits the file to a repository they can write to, including public repositories they control.
- A victim opens the file in Gitea's web UI, invoking the 3D file viewer.
- The viewer renders the malicious field, and the script executes in the victim's browser under the Gitea origin.
See the GitHub Security Advisory GHSA-9cpj-qc93-vw8v and the Gitea Pull Request Update for technical details on the affected code path.
Detection Methods for CVE-2026-28737
Indicators of Compromise
- Commits adding .gltf or .glb files containing unusual string values in the extensionsRequired array.
- glTF JSON metadata fields containing HTML tags, <script> markers, or event handler attributes such as onerror and onload.
- Outbound browser requests to unfamiliar domains originating from Gitea file-view pages.
- Unexpected Gitea API calls or repository modifications tied to user sessions that recently viewed 3D files.
Detection Strategies
- Scan repository content for glTF files and inspect the extensionsRequired field for non-conforming string values.
- Review web server access logs for repeated file-view requests to .gltf or .glb paths from multiple user sessions.
- Correlate 3D viewer page loads with subsequent anomalous API activity from the same session identifier.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script violations on Gitea file-view routes.
- Alert on new commits containing glTF files across all repositories on the instance during the exposure window.
- Track administrative account sessions for unexpected privilege operations following 3D viewer usage.
How to Mitigate CVE-2026-28737
Immediate Actions Required
- Upgrade Gitea to version 1.26.0 or later, which contains the fix referenced in Gitea PR 37233.
- Audit all glTF and glB files committed since Gitea 1.25.0 for suspicious payloads in metadata fields.
- Rotate session tokens and API keys for any user who may have opened untrusted 3D files.
Patch Information
Gitea addressed the vulnerability in the 1.26.0 release. Refer to the Gitea 1.26.0 Release Announcement and the GitHub release notes for upgrade guidance. The fix applies proper output encoding to glTF metadata rendered by the 3D file viewer.
Workarounds
- Disable the 3D file viewer feature in Gitea configuration until the upgrade is applied.
- Restrict write access to repositories and require review for commits introducing binary or glTF assets.
- Deploy a strict Content Security Policy that disallows inline scripts on file-view routes.
# Verify installed Gitea version and upgrade to 1.26.0 or later
gitea --version
# Example: upgrade a binary install
systemctl stop gitea
wget https://github.com/go-gitea/gitea/releases/download/v1.26.0/gitea-1.26.0-linux-amd64 -O /usr/local/bin/gitea
chmod +x /usr/local/bin/gitea
systemctl start gitea
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

