CVE-2026-28737 is a high-severity cross-site scripting (XSS) vulnerability in code.gitea.io/gitea (go), affecting versions >= 1.25.0, < 1.26.0. It is fixed in 1.26.0.
Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted .gltf files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using innerHTML without sanitization. An attacker who can push a .gltf file to any repository can execute arbitrary JavaScript in the context of any user who views the file. Affected Versions Gitea 1.25.0 and later (3D file preview was introduced in 1.25 via the Online3DViewer integration) Confirmed on gitea:1.25-nightly (SHA e33d1da...), which bundles online-3d-viewer npm package v0.16.0 The upstream Online3DViewer library is the root cause Severity Stored XSS: the payload persists in the repository and fires on every page view Executes under the Gitea origin with the victim's session (cookies, CSRF tokens) Any authenticated user viewing the file is compromised Enables full account takeover (token creation, settings modification, repository manipulation) No user interaction beyond viewing the file page is required Details Root Cause When Online3DViewer parses a glTF file, it checks whether all extensionsRequired entries are supported. For unsupported extensions, it calls: The SetError method stores this message, and Gitea's rendering code inserts it into the page using innerHTML: The extension names from extensionsRequired are taken directly from the JSON file with no escaping or sanitization, allowing HTML injection. Attack Vector An attacker creates a .gltf file with a malicious extensionsRequired value: The attacker pushes this file to any Gitea repository they have write access to (including forks of public repositories). When any user navigates to the file's page in the Gitea web UI, the 3D viewer attempts to render it, encounters the "unsupported extension," and inserts the error message (containing the attacker's HTML) into the DOM via innerHTML. The injected <img onerror> handler executes arbitrary JavaScript under the Gitea origin with the victim's authenticated session. Impact From the XSS context, an attacker can: Create API access tokens for the victim by POSTing to /user/settings/applications with the page's CSRF token Read private repositories via same-origin API calls Modify repository contents (supply chain attacks) Escalate to admin if the victim is a Gitea administrator Exfiltrate data via fetch, XMLHttpRequest, or navigator.sendBeacon Proof of Concept Minimal PoC (alert box) Save as poc.gltf and push to any Gitea 1.25+ repository: Navigate to the file in the Gitea web UI. The alert will fire. Suggested Fixes Sanitize or text-encode the error message before DOM insertion. Replace innerHTML with textContent for error display: Alternatively, escape HTML entities in the error message before insertion. Additional hardening Render 3D file previews inside a sandboxed <iframe> with sandbox="allow-scripts" and a restrictive CSP (default-src 'none'), similar to how Gitea already handles SVG attachments Apply Content-Security-Policy headers to file preview pages that restrict inline script execution
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-28737 has a CVSS score of 8.7 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.26.0). Upgrading removes the vulnerable code path.
go
code.gitea.io/gitea (>= 1.25.0, < 1.26.0)code.gitea.io/gitea → 1.26.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-28737 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-28737 is reachable in your applications. Get a demo
Upgrade code.gitea.io/gitea to 1.26.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-28737 is a high-severity cross-site scripting (XSS) vulnerability in code.gitea.io/gitea (go), affecting versions >= 1.25.0, < 1.26.0. It is fixed in 1.26.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
CVE-2026-28737 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
code.gitea.io/gitea (go) versions >= 1.25.0, < 1.26.0 is affected.
Yes. CVE-2026-28737 is fixed in 1.26.0. Upgrade to this version or later.
Whether CVE-2026-28737 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade code.gitea.io/gitea to 1.26.0 or later.