CVE-2026-28737: Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer

Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted .gltf files. When a glTF file declares an unsupported required extension,…

8.7CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-28737
Vendor	go
Affected Product	code.gitea.io/gitea
Vulnerability Type	Vulnerability
CVSS Score	8.7 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into the DOM using `innerHTML` without sanitization. An attacker who can push a `.gltf` file to any repository can execute arbitrary JavaScript in the context of any user who views the file.

Affected Versions - Gitea 1.25.0 and later (3D file preview was introduced in 1.25 via the Online3DViewer integration)

• Confirmed on gitea:1.25-nightly (SHA e33d1da...), which bundles online-3d-viewer npm package v0.16.0

• The upstream [Online3DViewer](https://github.com/kovacs

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/kovacs","confidence_score":0.82,"first_seen":"2026-06-17","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-28737 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →