References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://www.hacktivesecurity.com/blog/2025/07/15/cve-2025-47943-stored-xss-in-gogs-via-pdf

https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE-79

https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40

https://github.com/gogs/gogs/releases/tag/v0.13.3

https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v