CVE-2026-28737

Summary

Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

Affected Software

VendorProductVersion RangeStatus
GiteaGitea Open Source Git Server1.25.0 < 1.26.0affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References