You can insert Javascript into a README.md that is executed without sanitation. This could be used to hijack a users browser, to mine crypto currency, feed a Botnet, e.g. to artificially increase a Users follower count on social media or to feed into a DDoS attack, even stealing bank information is possible.
A working POC is available at Not-Nik/lo3. The XSS is so basic in fact that a README.md of just

<script>
// Your arbitrary code here
</script>

is possible.

FYI since pushing to gitly is not available yet, the source is also viewable seperately (without XSS :^) here

Thanks for reporting this!

Right now, markdown isn't rendered at all. I think md files are just dumped as text to the browser. So no vulnerability there.

Definitely something to keep in mind once markdown rendering is live.

A xss vuln is usually considered critical...
You could steal sessions and a lot of other really bad stuff could happen and you don't care?

I never said anything about not caring. Dumping text to the browser windows is NOT an xss vulnerability, since it is just text, and doesn't get executed.

If you know for a fact that it is being executed, then yes, that is indeed a critical problem.

Well if you click on the link you should see an alert. That's a pretty good sign that there is some execution going on.

I stand corrected. This is indeed something that should be fixed ASAP.

This is not a gitly problem this is a vweb problem because the text inserts wrong. It needs to be filtered

well we use vweb.RawHtml to render readme.md

I've disabled it entirely, until we use an actual markdown parser again.

I've wrote a fix now for it in vweb with the new type vweb.RawText