CVE Catalog

CVE-2026-28737

HighCVSS 8.7
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

A stored cross-site scripting vulnerability in Gitea allows attackers to inject malicious scripts via the extensionsRequired field in glTF files rendered by the 3D file viewer. Affects versions from 1.25.0 before 1.26.0.

Risk Assessment

An attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, repository modification, or data theft.

Recommendation

Upgrade Gitea to version 1.26.0 or later immediately to mitigate the vulnerability.

Original NVD description (English source)

Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS