CVE-2026-52816 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 5.4 MEDIUM

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.

Metadata

CVE ID: CVE-2026-52816
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:11 UTC
Published: 2026-06-24 20:26 UTC
Last updated: 2026-06-24 20:26 UTC
Primary CWE: CWE-80
CWE-80: Improper Neutralization of Script-Related HTML Tags …
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-80	cna	CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

References (4)

https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929 https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929
https://github.com/gogs/gogs/pull/8326 https://github.com/gogs/gogs/pull/8326
https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3 https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3
https://github.com/gogs/gogs/releases/tag/v0.14.3 https://github.com/gogs/gogs/releases/tag/v0.14.3