CVE-2026-52816 in Gogs
Summary
by MITRE • 06/25/2026
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability exists within Gogs version 0.14.2 and earlier, specifically in the Jupyter Notebook ipynb sanitizer endpoint located at POST /-/api/sanitize_ipynb. This endpoint serves as a critical component for processing notebook files that contain embedded HTML content, making it a potential attack vector for malicious actors seeking to exploit cross-site scripting vulnerabilities. The flaw stems from improper validation of data URI schemes within the sanitization process, creating an avenue for attackers to inject dangerous code through seemingly benign notebook files.
The technical implementation of this vulnerability relies on the bluemonday library's UGCPolicy() function which when configured with p.AllowURLSchemes("data") creates a dangerous permissive configuration. This particular setting allows all data URI schemes including data:text/html, data:text/javascript, and other potentially malicious content types that could contain executable code. The sanitizer endpoint processes these data URIs without proper validation or sanitization, effectively bypassing security measures designed to prevent cross-site scripting attacks. According to CWE-79, this represents a classic cross-site scripting vulnerability where user-controllable data is not properly escaped or validated before being rendered in the browser context.
The operational impact of this vulnerability is significant given the nature of the endpoint and its lack of authentication requirements. Any registered user can exploit this vulnerability without requiring elevated privileges, transforming what could be a minor security issue into a potential widespread threat within organizations using Gogs. Attackers can craft malicious ipynb files containing data:text/html payloads that execute JavaScript code when processed by the sanitizer endpoint, potentially leading to session hijacking, data exfiltration, or further exploitation of the system. The vulnerability directly maps to ATT&CK technique T1566.001 for initial access through spearphishing attachments, where malicious notebook files serve as the attack vector.
The security implications extend beyond simple XSS execution as this vulnerability enables attackers to establish persistent access patterns within the Gogs environment. When combined with the lack of authentication middleware, any authenticated user can leverage this flaw to compromise other users' sessions or manipulate system behavior through crafted notebook content. The fix implemented in version 0.14.3 addresses this by restricting data URI schemes and implementing proper input validation, ensuring that only safe and necessary data URIs are permitted through the sanitizer process. Organizations should immediately upgrade to version 0.14.3 or later to mitigate this risk and prevent potential exploitation of this vulnerability in their self-hosted Git services.