HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-28737Published Modified CNA Gitea

CVE-2026-28737: Gitea 3D file viewer allows stored XSS through glTF extensionsRequired

Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
1.26.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

Fix available

1.26.0
Affected packages
  • Gitea / Gitea Open Source Git Server
    < 1.26.0 (from 1.25.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N