CVE-2026-28737: Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer

June 17, 2026

Me again.

Gitea’s built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted .gltf files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using innerHTML without sanitization. An attacker who can push a .gltf file to any repository can execute arbitrary JavaScript in the context of any user who views the file.

References

github.com/advisories/GHSA-9cpj-qc93-vw8v
github.com/go-gitea/gitea/security/advisories/GHSA-9cpj-qc93-vw8v
nvd.nist.gov/vuln/detail/CVE-2026-28737

Code Behaviors & Features

Detect and mitigate CVE-2026-28737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →