Skip to content

Gogs has DOM-based XSS via Milestone Name on New Issue Page

High severity GitHub Reviewed Published Jun 19, 2026 in gogs/gogs • Updated Jun 23, 2026

Package

gomod gogs.io/gogs (Go)

Affected versions

< 0.14.3

Patched versions

0.14.3

Description

Summary

The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.

Details

GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.

In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to &lt; etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).

Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.

PoC

poc.zip
Please extract the uploaded compressed file before proceeding

  1. docker compose up --build

스크린샷 2026-04-06 오후 9 34 05

Impact

  • Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.
  • Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.

References

@unknwon unknwon published to gogs/gogs Jun 19, 2026
Published to the GitHub Advisory Database Jun 23, 2026
Reviewed Jun 23, 2026
Last updated Jun 23, 2026

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(38th percentile)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-52807

GHSA ID

GHSA-vcm5-gvmp-78mp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.