AI Threat Alert
GHSA-6vxv-wg6j-5qwp: Gogs: XSS via outdated Jupyter renderer, account takeover
GHSA-6vxv-wg6j-5qwp HIGHGogs uses a Jupyter notebook renderer (notebookjs 0.4.2) that is four major versions behind the patched release (0.8.3), exposing organizations to a publicly-documented XSS class where any authenticated user can embed executable JavaScript inside a .ipynb file. With 2,954 downstream dependents and 16 prior CVEs in the same package, this reflects systemic dependency hygiene failures that have persisted unaddressed. In AI/ML organizations where Jupyter notebooks are the primary collaboration medium and are routinely shared via internal Gogs instances — often containing embedded API keys, cloud credentials, and model access tokens — a single crafted notebook link sent to an admin user is sufficient to achieve full account takeover. Upgrade Gogs to version 0.14.3 immediately; if patching is delayed, restrict repository creation to verified users and audit existing .ipynb files for embedded HTML payloads.
What is the risk?
Medium-High risk. A working PoC is publicly disclosed and exploitation requires no AI/ML expertise — only a valid Gogs user account, making this accessible to low-skill attackers. The attack is particularly impactful in AI/ML environments where notebooks are the default collaboration artifact and frequently contain secrets. No active exploitation or KEV listing moderates immediate urgency, but the trivial exploitation complexity and full account takeover impact keep this squarely in the remediation-this-sprint category. The OpenSSF Scorecard of 5.8/10 and 16 other CVEs in the same package suggest sustained security hygiene issues that should not be dismissed as isolated.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Jupyter Notebook | go | < 0.14.3 | 0.14.3 |
Do you use Jupyter Notebook? You're affected.
How severe is it?
What should I do?
6 steps-
Patch: Upgrade Gogs to version 0.14.3 or later — this updates notebookjs to a version with XSS patches applied.
-
Workaround (if immediate patching is not possible): Restrict repository creation to trusted users only via Gogs admin settings to limit who can upload .ipynb files.
-
Detection: Audit existing .ipynb files for suspicious HTML content: grep -rE '<script|onerror=|javascript:|<iframe' --include='*.ipynb' /path/to/repos.
-
Secrets rotation: Assume any credentials embedded in notebooks accessible to untrusted users on the affected Gogs instance may have been observed or exfiltrated.
-
Network controls: Enforce Content-Security-Policy headers on the Gogs deployment to limit the blast radius of residual XSS.
-
Dependency hygiene: Establish a process to monitor transitive JavaScript dependencies in self-hosted dev tools for version drift.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-6vxv-wg6j-5qwp?
Gogs uses a Jupyter notebook renderer (notebookjs 0.4.2) that is four major versions behind the patched release (0.8.3), exposing organizations to a publicly-documented XSS class where any authenticated user can embed executable JavaScript inside a .ipynb file. With 2,954 downstream dependents and 16 prior CVEs in the same package, this reflects systemic dependency hygiene failures that have persisted unaddressed. In AI/ML organizations where Jupyter notebooks are the primary collaboration medium and are routinely shared via internal Gogs instances — often containing embedded API keys, cloud credentials, and model access tokens — a single crafted notebook link sent to an admin user is sufficient to achieve full account takeover. Upgrade Gogs to version 0.14.3 immediately; if patching is delayed, restrict repository creation to verified users and audit existing .ipynb files for embedded HTML payloads.
Is GHSA-6vxv-wg6j-5qwp actively exploited?
No confirmed active exploitation of GHSA-6vxv-wg6j-5qwp has been reported, but organizations should still patch proactively.
How to fix GHSA-6vxv-wg6j-5qwp?
1. Patch: Upgrade Gogs to version 0.14.3 or later — this updates notebookjs to a version with XSS patches applied. 2. Workaround (if immediate patching is not possible): Restrict repository creation to trusted users only via Gogs admin settings to limit who can upload .ipynb files. 3. Detection: Audit existing .ipynb files for suspicious HTML content: grep -rE '<script|onerror=|javascript:|<iframe' --include='*.ipynb' /path/to/repos. 4. Secrets rotation: Assume any credentials embedded in notebooks accessible to untrusted users on the affected Gogs instance may have been observed or exfiltrated. 5. Network controls: Enforce Content-Security-Policy headers on the Gogs deployment to limit the blast radius of residual XSS. 6. Dependency hygiene: Establish a process to monitor transitive JavaScript dependencies in self-hosted dev tools for version drift.
What systems are affected by GHSA-6vxv-wg6j-5qwp?
This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines using Gogs for source control, Jupyter notebook collaboration environments, Internal ML code and model repositories, Data science team version control infrastructure, CI/CD pipelines connected to Gogs webhooks.
What is the CVSS score for GHSA-6vxv-wg6j-5qwp?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.003 Malicious Link AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Gogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities. ### Details Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files: https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47 The latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown. ### PoC 1. Create a new repository 2. Create a file inside the repository named `xss.ipynb` and give it the following content: ```json {"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2} ``` <img width="1054" height="208" alt="image" src="https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de" /> 3. Save the file and view the file in Gogs. Notice that the XSS popup triggers: <img width="1317" height="407" alt="image" src="https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07" /> ### Impact Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.
Exploitation Scenario
An attacker with a low-privilege Gogs account at an AI organization creates an internal repository and uploads an .ipynb file containing a JavaScript payload in a markdown cell — e.g., an img tag with an onerror handler that exfiltrates document.cookie to an attacker-controlled endpoint. The attacker frames the notebook as a shared experiment or data pipeline result and sends the direct Gogs file URL to an admin or senior data scientist via internal Slack. When the victim opens the link while authenticated, the XSS fires in their browser session, sending their Gogs session cookie to the attacker. The attacker replays the cookie to gain admin access, where they can read all model repositories, exfiltrate API keys committed to notebooks, and silently modify training scripts or CI/CD pipelines to introduce backdoors into ML model artifacts before deployment.
Weaknesses (CWE)
CWE-1395 Dependency on Vulnerable Third-Party Component
Primary
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Primary
CWE-1395 — Dependency on Vulnerable Third-Party Component: The product has a dependency on a third-party component that contains one or more known vulnerabilities.
- [Requirements, Policy] In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
- [Requirements] Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-42266 8.8 JupyterLab: Extension allow-list bypass enables privesc
Same package: notebook CVE-2026-5422 8.1 jupyter-server: path traversal exposes sibling dir files
Same package: notebook CVE-2018-8768 7.8 Jupyter Notebook: XSS via malicious .ipynb file
Same package: notebook CVE-2026-54293 7.5 NLTK: path traversal leaks arbitrary local files
Same package: notebook CVE-2026-35397 7.1 Jupyter Server: path traversal leaks sibling directories
Same package: notebook