Summary
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
Advisory details
Summary
Gogs renders Jupyter notebook files (.ipynb) using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities.
Details
Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:
The latest version of jsvine/notebookjs is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.
PoC
- Create a new repository
- Create a file inside the repository named
xss.ipynband give it the following content:
{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}
- Save the file and view the file in Gogs. Notice that the XSS popup triggers:
Impact
Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-55692
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
- HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
- HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
- MEDIUMCVE-2026-50179
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields