CVE-2026-52816

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
CVSS

No CVSS.

Configurations

No configuration.

History

25 Jun 2026, 21:16

Type Values Removed Values Added
References () https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929 - () https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929 -

24 Jun 2026, 21:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 21:16

Updated : 2026-06-25 21:16


NVD link : CVE-2026-52816

Mitre link : CVE-2026-52816

CVE.ORG link : CVE-2026-52816


JSON object : View

Products Affected

No product.

CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)