CVE-2026-52816 is a medium-severity cross-site scripting (XSS) vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
Summary The Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitizeipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. Severity High Affected Versions All versions using the vulnerable endpoint Vulnerability Details CVE ID: (To be assigned) Entry Point: POST /-/api/sanitizeipynb Attack Vector: Network Authentication Required: No (only needs a registered user account) Impact An attacker with a registered user account can: Send malicious HTML containing data:text/html URIs to the sanitization endpoint Receive sanitized but attacker-controlled HTML in the response Execute arbitrary JavaScript in the attacker's browser context through XSS Potentially exploit other users if the sanitized output is rendered in their context The vulnerability has higher severity because: No authentication required (only needs a registered user account) Unlike the safer pattern in internal/markup/sanitizer.go:39 which uses isSafeDataURI to only allow safe image MIME types, this endpoint allows ALL data URIs including HTML The returned HTML can be used to craft XSS attacks Proof of Concept Attacker sends a POST request to the sanitization endpoint: The server returns the sanitized HTML with the data URI preserved: When this HTML is rendered in a browser, the JavaScript within the data URI will execute, leading to XSS. Affected Component File: internal/app/api.go:10-16 File: cmd/gogs/web.go:681-683 - No authentication middleware Root Cause Unrestricted data URI scheme: The code at internal/app/api.go:14 uses p.AllowURLSchemes("data") without any restriction, unlike the safer implementation in internal/markup/sanitizer.go:39 which uses AllowURLSchemeWithCustomPolicy("data", isSafeDataURI) to only allow safe image MIME types. No authentication: The endpoint at cmd/gogs/web.go:682 does not have any authentication middleware applied, making it accessible to any registered user. Insufficient validation: The sanitization only removes dangerous tags/attributes but preserves data URIs, allowing data:text/html payloads to pass through. Suggested Fix Option 1: Use the same safe pattern as internal/markup/sanitizer.go Replace p.AllowURLSchemes("data") with: Where isSafeDataURI is a function that only allows safe image MIME types (image/png, image/jpeg, image/gif, etc.). Option 2: Add authentication middleware Apply appropriate authentication to the endpoint: Option 3: Disable data URI scheme entirely If data URIs are not required for ipynb sanitization:
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
go
gogs.io/gogs (< 0.14.3)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52816 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52816 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52816 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52816 is a medium-severity cross-site scripting (XSS) vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
gogs.io/gogs (go) versions < 0.14.3 is affected.
Yes. CVE-2026-52816 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52816 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.