PatchSiren cyber security CVE debrief
CVE-2026-28737 Gitea CVE debrief
CVE-2026-28737 is a high-severity vulnerability in Gitea, a self-hosted Git service. It allows stored cross-site scripting (XSS) attacks through the extensionsRequired field in glTF files rendered by the 3D file viewer. The vulnerability affects Gitea versions from 1.25.0 before 1.26.0. Successful exploitation could allow attackers to inject malicious scripts into the 3D file viewer, potentially leading to unauthorized actions or data breaches. Users should review their Gitea instances for exposure and plan for an upgrade to version 1.26.0 or later.
- Vendor
- Gitea
- Product
- Gitea
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of Gitea, especially those hosting Gitea instances, should be aware of this vulnerability. It could allow attackers to inject malicious scripts into the 3D file viewer, potentially leading to unauthorized actions or data breaches. Gitea administrators should review their instances for exposure and plan for an upgrade to version 1.26.0 or later. Security teams should also review compensating controls for exposed systems and monitor for suspicious activity.
Technical summary
The vulnerability exists in the 3D file viewer of Gitea, specifically in how it handles glTF files. The extensionsRequired field in these files can be used to inject malicious scripts, which are then executed when the file is rendered. This is a stored XSS vulnerability, meaning the malicious script is stored on the server and executed when a user views the file. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. Gitea instances should be reviewed for exposure, and defenders should consider implementing additional security measures such as Content Security Policy (CSP) headers.
Defensive priority
High
Recommended defensive actions
- Upgrade Gitea to version 1.26.0 or later
- Review and sanitize glTF files before uploading them to Gitea
- Implement additional security measures for the 3D file viewer, such as Content Security Policy (CSP) headers
- Monitor Gitea instances for suspicious activity related to 3D file uploads and rendering
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-03T21:16:59.787Z and was last modified on 2026-07-07T18:16:38.223Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record and NVD entry provide the most accurate and up-to-date information.
Official resources
-
CVE-2026-28737 CVE record
CVE.org
-
CVE-2026-28737 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
-
Source reference
88ee5874-cf24-4952-aea0-31affedb7ff2
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T21:16:59.787Z and has not been modified since then. The NVD entry is currently Deferred.