GHSA-26gq-grmh-6xm6
HIGHGogs vulnerable to Stored XSS via Mermaid diagrams
Blast Radius
gogs.io/gogsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Stored XSS via mermaid diagrams due to usage of vulnerable renderer library
Details
Gogs introduced support for rendering mermaid diagrams in version 0.13.0.
Currently used version of the library mermaid 11.9.0 is vulnerable to at least two XSS scenarios with publicly available payloads
Resources: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
PoC
- Create a markdown file eg.
README.mdcontaining following malicious mermaid diagram (payload based on CVE-2025-54880)
architecture-beta
group api(cloud)[API]
service db "<img src=x onerror=\"alert(document.domain)\">" [Database] in api
- The XSS should pop whenever either repository or file is viewed
Demo
https://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235
Impact
The attacker can potentially achieve account takeover In a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment
Proposed remediation steps
- Upgrade to a patched version of the third party library https://github.com/mermaid-js/mermaid/releases/tag/v10.9.5
- Consider running mermaid using
sandboxlevel which would mitigate impact of future potential cross-site scripting issues https://mermaid.js.org/config/usage.html#securitylevel
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | gogs.io/gogs | all versions | 0.13.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for gogs.io/gogs. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update gogs.io/gogs to 0.13.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-26gq-grmh-6xm6 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-26gq-grmh-6xm6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-26gq-grmh-6xm6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-26gq-grmh-6xm6 in your dependencies?
O3 detects GHSA-26gq-grmh-6xm6 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.