CVE-2026-28737 in Giteainfo

Summary

by MITRE • 07/04/2026

Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability exists within Gitea's 3D file viewer functionality where the application processes glTF files containing extension data that can be exploited for stored cross-site scripting attacks. The flaw specifically targets the extensionsRequired field within glTF file structures, which are processed and rendered by the web interface without adequate sanitization or input validation. When a malicious user uploads a glTF file with crafted extensionsRequired values containing script tags or other malicious payloads, these scripts become embedded within the file viewer's rendering process and execute in the context of authenticated users who view the file.

The technical implementation of this vulnerability stems from insufficient sanitization of user-supplied data within the 3D model rendering pipeline. Gitea's glTF parser does not properly escape or validate the extensionsRequired field contents, allowing arbitrary JavaScript code to be stored within the repository and subsequently executed when other users browse the 3D file viewer. This represents a classic stored XSS vulnerability where the malicious input persists in the application's database and executes against unsuspecting victims who interact with the compromised content.

The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or performing unauthorized operations within the Gitea environment. Since the vulnerability affects the 3D file viewer functionality that may be accessed by multiple users within an organization, it poses a significant risk for privilege escalation attacks where authenticated users could be tricked into executing malicious code. The vulnerability is particularly concerning in enterprise environments where Gitea is used for collaborative development and where users may trust repository content from colleagues or automated systems.

This vulnerability aligns with CWE-79 which defines cross-site scripting flaws as weaknesses that occur when an application includes untrusted data in a new web page without proper validation or escaping. The ATT&CK framework categorizes this under T1566 which covers credential access through social engineering techniques, where the stored XSS could be used to harvest authentication tokens from users viewing compromised files. Organizations should implement immediate mitigations including updating to Gitea version 1.26.0 or later where the vulnerability has been patched, implementing content security policies that restrict script execution in file viewer contexts, and adding input validation for glTF extension fields within repository upload processes. Additionally, administrators should consider implementing automated scanning of repository content for suspicious file patterns and establishing user education programs regarding the risks of viewing untrusted 3D model files from unknown sources.

The vulnerability demonstrates a critical gap in Gitea's security posture related to third-party file processing capabilities, highlighting the importance of validating all user-supplied content even when it appears benign. Security teams should prioritize this issue in their vulnerability management processes as it represents a potential vector for persistent attacks within development environments where trust relationships between team members may be exploited. Organizations using Gitea for code repositories containing 3D assets or model files should conduct immediate risk assessments and consider implementing additional security controls around file upload validation and content scanning mechanisms to prevent similar issues in other file types that may be processed by the application's rendering pipelines.

Responsible

Gitea

Reservation

03/03/2026

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00336

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!