Developer Tools

In Gogs versions prior to 0.14.2 a high severity vulnerability CVE-2026-26276 was detected. This vulnerability allows attackers to store malicious HTML or JavaScript payloads in a repository’s Milestone name, which can trigger a DOM-based Cross-Site Scripting (XSS) attack when another user selects that milestone on the New Issue page. To address this issue, users should upgrade Gogs to version 0.14.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26276.

In Jenkins versions 2.483 through 2.550, and LTS versions 2.492.1 through 2.541.1 a high severity vulnerability CVE-2026-27099 was detected. This vulnerability allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts through the “Mark temporarily offline” offline cause description, which is not properly escaped before being stored and displayed. To address this issue, users should upgrade Jenkins to versions 2.551 or 2.541.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27099.

In Gogs versions 0.13.4 and prior a medium severity vulnerability CVE-2026-25120 was detected. This vulnerability allows repository administrators to delete comments from other repositories by supplying arbitrary comment IDs due to missing repository ownership validation in the DeleteComment API. To address this issue, users should upgrade Gogs to version 0.14.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25120.

In Gogs versions 0.13.4 and prior a high severity vulnerability CVE-2026-25232 was detected. This vulnerability allows authenticated attackers with write permissions to delete protected branches, including the default branch, via a direct POST request to the web interface, bypassing branch protection mechanisms and enabling privilege escalation to perform administrative-level operations. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25232.

In Gogs versions 0.13.4 and below a high severity vulnerability CVE-2026-25229 was detected. This vulnerability allows authenticated users with write access to one repository to modify labels belonging to other repositories due to improper repository ownership validation in the Web UI label update endpoint. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25229.

In Gogs versions 0.13.4 and prior a critical severity vulnerability CVE-2026-25242 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files to the server via exposed attachment upload endpoints when the RequireSigninView setting is disabled, potentially leading to disk exhaustion, malware hosting, or abuse of the instance as a public file host. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25242.

In GitHub Copilot versions 1.0.0 before 1.5.63 a high severity vulnerability CVE-2026-21516 was identified. This vulnerability allows an unauthorized attacker to execute arbitrary code over a network due to improper neutralization of special elements used in a command (command injection). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21516.

In GitLab CE/EE versions 18.6 up to but not including 18.6.6, 18.7 up to but not including 18.7.4, and 18.8 up to but not including 18.8.4 a medium severity vulnerability CVE-2026-1282 was detected. This vulnerability allows authenticated attackers to inject malicious content into project label titles due to improper neutralization of script-related HTML tags, potentially leading to cross-site scripting (XSS). To address this issue, users should upgrade GitLab CE/EE to versions 18.6.6, 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1282.

In GitLab CE/EE versions 18.4 up to but not including 18.6.6, 18.7 up to but not including 18.7.4, and 18.8 up to but not including 18.8.4 a high severity vulnerability CVE-2026-0958 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service condition through memory or CPU exhaustion by bypassing JSON validation middleware limits. To address this issue, users should upgrade GitLab CE/EE to versions 18.6.6, 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0958.