CVE-2026-59102
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
Forgejo before version 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers. The attack involves setting a full name with an HTML payload and triggering an Actions run, leading to script injection when the page is rendered.
Risk Assessment
The risk includes session hijacking, data theft, or unauthorized actions performed on behalf of the victim, potentially compromising system confidentiality and integrity.
Recommendation
Upgrade Forgejo to version 15.0.3 or later immediately to fix the vulnerability. Additionally, consider disabling the DEFAULT_SHOW_FULL_NAME option if not needed.
Original NVD description (English source)
Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.

