Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/gogs/gogs(Go) | 0 | 0.13.3-0.20250608224432-110117b2e5e5 | N/A |
| gogs.io/gogs(Go) | 0 | 0.13.3-0.20250608224432-110117b2e5e5 | N/A |
CVSS Metrics
