CVE-2025-47943

Public Exploit
Gogs stored XSS in PDF renderer

Description

Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

Category

6.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: gogs gogs
Published at:
Updated at:

References

Link Tags
https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v
https://github.com/gogs/gogs/commit/110117b2e5e5baa4809c819bec701e929d2d8d40
https://github.com/gogs/gogs/releases/tag/v0.13.3

Frequently Asked Questions

What is the severity of CVE-2025-47943?
CVE-2025-47943 has been scored as a medium severity vulnerability.
How to fix CVE-2025-47943?
To fix CVE-2025-47943, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-47943 being actively exploited in the wild?
It is possible that CVE-2025-47943 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-47943?
CVE-2025-47943 affects gogs gogs.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.