Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
CVSS
No CVSS.
References
Configurations
No configuration.
History
25 Jun 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929 - |
24 Jun 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 21:16
Updated : 2026-06-25 21:16
NVD link : CVE-2026-52816
Mitre link : CVE-2026-52816
CVE.ORG link : CVE-2026-52816
JSON object : View
Products Affected
No product.
CWE
CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
