CVE-2026-52798— Gogs: Stored XSS in `.ipynb` Preview
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-52798
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Gogs: Stored XSS in `.ipynb` Preview
Source: NVD (National Vulnerability Database)
Vulnerability Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-52798
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-52798
请登录查看更多情报信息。
Other References for CVE-2026-52798 (4)
- 🔗 Stored XSS in `.ipynb` Preview · Advisory · gogs/gogs · GitHub Read full article x_refsource_CONFIRM
Same Patch Batch · gogs · 2026-06-24 · 24 CVEs total
| CVE-2026-52813 | 10.0 CRITICAL | Gogs: Path Traversal in organization name results in RCE through Git hooks |
| CVE-2026-52806 | 9.9 CRITICAL | Gogs: RCE via git rebase --exec argument injection in pull request merge |
| CVE-2026-52800 | 8.8 HIGH | Gogs: CSRF Leading to Organization Owner Takeover |
| CVE-2026-52805 | 8.7 HIGH | Gogs: Migration Redirect Bypass Leads to Internal Repository Theft |
| CVE-2026-52797 | 8.5 HIGH | Gogs: Overwriting critical files results in a denial of service |
| CVE-2026-47267 | 8.3 HIGH | Gogs: SSRF in webhook deliveries |
| CVE-2026-52801 | 8.1 HIGH | Gogs: Ability to import local repositories via Mirror Settings |
| CVE-2026-52799 | 7.5 HIGH | Gogs: Missing Authorization in Attachment Download |
| CVE-2026-52808 | 7.1 HIGH | Gogs: Write-level collaborators can mutate admin-only repository settings via API |
| CVE-2026-52809 | 6.8 MEDIUM | Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_ |
| CVE-2026-52802 | 5.4 MEDIUM | Gogs: Open Redirect via redirect_to in Gogs |
| CVE-2025-64719 | 4.9 MEDIUM | Gogs: Denial of Service in repository/wiki file listing web pages |
| CVE-2026-52795 | 4.3 MEDIUM | Gogs: Authorization Bypass in Watch API allows any user to monitor private repository acti |
| CVE-2026-52796 | 3.5 LOW | Gogs: DoS in rendering issue index pattern |
| CVE-2026-52814 | Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Des | |
| CVE-2026-52810 | Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusio | |
| CVE-2026-52812 | Gogs: LFS dedupe path leaks private repo content across tenants | |
| CVE-2026-52807 | Gogs: DOM-based XSS via Milestone Name on New Issue Page | |
| CVE-2026-52804 | Gogs: Privilege Escalation via Collaboration Access Mode Validation | |
| CVE-2026-52815 | Gogs: Unauthenticated Organization Teams Information Disclosure via API |
Showing top 20 of 24 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: gogs
- CVE-2026-52797
Gogs: Overwriting critical files results in a denial of serv - CVE-2026-52813
Gogs: Path Traversal in organization name results in RCE thr - CVE-2026-52812
Gogs: LFS dedupe path leaks private repo content across tena - CVE-2026-52811
Gogs: UploadRepoFiles writes outside repo working tree via c - CVE-2026-52810
Gogs: Write to readonly repositories using receive-pack + se
Same vendor: gogs
- CVE-2026-52797
Gogs: Overwriting critical files results in a denial of serv - CVE-2026-52813
Gogs: Path Traversal in organization name results in RCE thr - CVE-2026-52812
Gogs: LFS dedupe path leaks private repo content across tena - CVE-2026-52811
Gogs: UploadRepoFiles writes outside repo working tree via c - CVE-2026-52810
Gogs: Write to readonly repositories using receive-pack + se
Same weakness: CWE-79
- CVE-2026-57656
WordPress Hester Core plugin <= 1.1.8 - Cross Site Scripting - CVE-2026-57651
WordPress Ghost Kit plugin <= 3.6.0 - Cross Site Scripting ( - CVE-2026-57650
WordPress Magazine Blocks plugin <= 1.8.3 - Cross Site Scrip - CVE-2026-57638
WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Script - CVE-2026-57629
WordPress StatCounter plugin <= 2.1.1 - Cross Site Scripting
V. Comments for CVE-2026-52798
No comments yet