GHSA-26GQ-GRMH-6XM6: Gogs: When 'Painless' Git Becomes Painful (Stored XSS via Mermaid)

Gogs: When 'Painless' Git Becomes Painful (Stored XSS via Mermaid)

Vulnerability ID: GHSA-26GQ-GRMH-6XM6
CVSS Score: 8.7
Published: 2026-02-06

A classic tale of neglected dependencies and implicit trust. Gogs, the 'painless' self-hosted Git service, fell victim to a high-severity Stored Cross-Site Scripting (XSS) vulnerability. By bundling an ancient, vulnerable version of the Mermaid.js diagramming library and initializing it without a sandbox, Gogs turned every issue tracker and wiki page into a potential minefield. This report dives into the mechanics of the Mermaid bypass and why client-side rendering of user-supplied DSLs is a dangerous game.

TL;DR

Gogs was using an outdated version of Mermaid.js (v8.14.0) to render diagrams in Markdown. Due to a lack of input sanitization in the library and a missing security configuration ('sandbox') in Gogs, attackers can inject arbitrary JavaScript via malicious diagrams. Fixed in Gogs by updating Mermaid to v11.12.1.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Stored Cross-Site Scripting (XSS)
• Attack Vector: Network (Markdown Injection)
• Affected Component: Mermaid.js (bundled)
• Impact: Session Hijacking, RCE (via Admin context)
• Severity: High
• Fix Version: Mermaid 11.12.1

Affected Systems

• Gogs (Self-Hosted Git Service)
• Gogs: < commit 71a72a7 (Fixed in: Commit 71a72a7)

Code Analysis

Commit: 71a72a7

Upgrade mermaid to 11.12.1

- <script src="{{AppSubURL}}/plugins/mermaid-8.14.0/mermaid.min.js"></script>
+ <script src="{{AppSubURL}}/plugins/mermaid-11.12.1/mermaid.min.js"></script>

Exploit Details

• Manual Research: PoC using architecture-beta diagram type to inject image tags.

Mitigation Strategies

• Update bundled Mermaid.js library to version 11.12.1 or later.
• Configure Mermaid with securityLevel: 'sandbox'.
• Implement Content Security Policy (CSP) to restrict script sources.

Remediation Steps:

1. Stop the Gogs service.
2. Apply the patch from commit 71a72a72ad1c8cea7940c9d7e4cbdfbc0fc3d401.
3. Delete the public/plugins/mermaid-8.14.0 directory.
4. Verify that public/plugins/mermaid-11.12.1 is present.
5. Restart the Gogs service.

References

• GHSA Advisory
• Mermaid Security Configuration

---

Read the full report for GHSA-26GQ-GRMH-6XM6 on our website for more details including interactive diagrams and full exploit analysis.