Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 02 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page. | |
| Title | Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering | |
| First Time appeared |
Forgejo
Forgejo forgejo |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Forgejo
Forgejo forgejo |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-02T19:44:07.617Z
Reserved: 2026-07-02T15:38:18.929Z
Link: CVE-2026-59102
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T21:45:02Z