CVE-2026-26022

HighPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0001 3.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26022 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gogs Gogs. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing the specific HTML sanitizer vulnerability in Gogs by applying the patch in version 0.14.2.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates output filtering to prevent XSS by sanitizing rendered content like comments and issue descriptions, blocking malicious data: URI schemes.

SI-10 Information Input Validation partial match

prevent

SI-10 enforces input validation at entry points to restrict malicious payloads such as data: URIs in comment and issue submissions.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1491.002 External Defacement Impact

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Stored XSS directly enables browser session hijacking (T1185) via malicious JS, stealing web session cookies (T1539), external defacement of repo content (T1491.002), and use of stolen cookies for actions as victim (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject…

arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.

Deeper analysisAI

CVE-2026-26022 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Gogs, an open source self-hosted Git service. The flaw affects versions prior to 0.14.2 and resides in the comment and issue description functionality, where the HTML sanitizer explicitly permits data: URI schemes. This allows authenticated users to inject malicious links that enable arbitrary JavaScript execution when rendered in users' browsers.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction from a victim viewing the tainted comment or issue. Successful exploitation leads to high confidentiality and integrity impacts with a changed scope, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or deface repository content. The CVSS v3.1 base score is 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

The issue has been addressed in Gogs version 0.14.2, as detailed in the project's security advisory (GHSA-xrcr-gmf5-2r8j), release notes, associated pull request (#8174), and patching commit (441c64d7bd8893b2f4e48660a8be3a7472e14291). Security practitioners should urge users to upgrade immediately to mitigate the risk.

Details

CWE(s): CWE-79

Affected Products

gogs

≤ 0.14.2

CVEs Like This One

CVE-2026-26276Same product: Gogs Gogs

CVE-2026-24135Same product: Gogs Gogs

CVE-2026-26194Same product: Gogs Gogs

CVE-2026-25242Same product: Gogs Gogs

CVE-2025-64175Same product: Gogs Gogs

CVE-2025-64111Same product: Gogs Gogs

CVE-2026-25232Same product: Gogs Gogs

CVE-2025-8110Same product: Gogs Gogs

CVE-2026-25921Same product: Gogs Gogs

CVE-2026-24836Shared CWE-79

References

https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291
Patch · security-advisories@github.com
https://github.com/gogs/gogs/pull/8174
Issue Tracking · security-advisories@github.com
https://github.com/gogs/gogs/releases/tag/v0.14.2
Release Notes · security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j
Exploit, Vendor Advisory · security-advisories@github.com