CVE-2026-52807: Gogs Stored DOM-based XSS via Milestone Name on New Issue Page
A repository collaborator can store a JavaScript payload inside a milestone name that silently executes in any visitor's browser the moment they open the New Issue page and interact with the milestone
The problem
Any user with write access to a Gogs repository can create a milestone whose name contains an HTML/JavaScript payload. When a victim opens the New Issue page and clicks the milestone dropdown, the payload executes in their browser session.
Successful exploitation allows the attacker to steal session cookies, impersonate the victim, or perform arbitrary actions on their behalf. All Gogs versions before 0.14.3 are affected.
Proof of concept
# Step 1: Create a milestone with this exact name (as a repo collaborator)
<img src=x onerror=alert(document.cookie)>
# Step 2: As any user, visit the New Issue page and click the milestone dropdown
# GET /owner/repo/issues/new
# --> click the milestone selector --> onerror fires, cookies exfiltratedGo's html/template package HTML-encodes the milestone name on render, so `<img src=x onerror=alert(1)>` becomes `<img src=x onerror=alert(1)>` in the raw HTML. The browser parses that safely as text, not markup, so nothing fires on page load.
The trap triggers on interaction. Semantic UI 2.4.2 ships with `preserveHTML: true` as its default dropdown setting. When a user selects a dropdown item, the internal `set.text()` method calls jQuery's `.html()` with the element's `.textContent`. The browser has already decoded the HTML entities back to the raw string, so `.html()` receives and re-parses the literal `<img src=x onerror=...>`, inserting a real DOM element and firing the event handler.
The previous fix for GHSA-vgjm-2cpf-4g7c added a `| Sanitize` pipe (bluemonday tag-stripping) to `templates/repo/issue/view_content.tmpl`, but the identical milestone dropdown in `templates/repo/issue/new_form.tmpl` was left unpatched. Commit 573eacdc applies the same `| Sanitize` filter to `new_form.tmpl`, stripping HTML before the value ever reaches the DOM.
The fix
Upgrade to Gogs 0.14.3 (commit 573eacdc658641487f8ad883da96b29ec8e2852d, PR #8325). The patch adds the `| Sanitize` template filter to milestone name rendering in `templates/repo/issue/new_form.tmpl`, matching the fix already present in `view_content.tmpl`. If an immediate upgrade is not possible, manually apply `| Sanitize` to every `{{.Name}}` call inside the milestone dropdown section of `new_form.tmpl`.