Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
124 vulnerabilities found for Gogs by Gogs
CVE-2026-52797 (GCVE-0-2026-52797)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:35 – Updated: 2026-06-24 20:35
VLAI
Title
Gogs: Overwriting critical files results in a denial of service
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.
Severity
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:35:09.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-pm6v-2h4w-4rp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-pm6v-2h4w-4rp2"
}
],
"source": {
"advisory": "GHSA-pm6v-2h4w-4rp2",
"discovery": "UNKNOWN"
},
"title": "Gogs: Overwriting critical files results in a denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52797",
"datePublished": "2026-06-24T20:35:09.235Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:35:09.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52813 (GCVE-0-2026-52813)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:33 – Updated: 2026-06-24 20:33
VLAI
Title
Gogs: Path Traversal in organization name results in RCE through Git hooks
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Severity
10 (Critical)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8334 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/f6acd46730594… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other\u0027s hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:33:42.162Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5"
},
{
"name": "https://github.com/gogs/gogs/pull/8334",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8334"
},
{
"name": "https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-c39w-43gm-34h5",
"discovery": "UNKNOWN"
},
"title": "Gogs: Path Traversal in organization name results in RCE through Git hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52813",
"datePublished": "2026-06-24T20:33:42.162Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-24T20:33:42.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52812 (GCVE-0-2026-52812)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:32 – Updated: 2026-06-24 20:32
VLAI
Title
Gogs: LFS dedupe path leaks private repo content across tenants
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.
Severity
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8333 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/f35a767af74e0… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (\u003cLFS-root\u003e/\u003coid[0]\u003e/\u003coid[1]\u003e/\u003coid\u003e) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:32:51.608Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4"
},
{
"name": "https://github.com/gogs/gogs/pull/8333",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8333"
},
{
"name": "https://github.com/gogs/gogs/commit/f35a767af74e05342bafc6fdda02c791816426f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/f35a767af74e05342bafc6fdda02c791816426f8"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-6p9m-q3jp-47h4",
"discovery": "UNKNOWN"
},
"title": "Gogs: LFS dedupe path leaks private repo content across tenants"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52812",
"datePublished": "2026-06-24T20:32:51.608Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-24T20:32:51.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52811 (GCVE-0-2026-52811)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:31 – Updated: 2026-06-24 20:31
VLAI
Title
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.
Severity
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8332 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/04cb8afbb01d8… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component \u2014 UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write \u2014 ~git/.ssh/authorized_keys \u2192 SSH foothold, or \u003crepo\u003e.git/hooks/post-receive \u2192 next-push RCE. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:31:38.233Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m"
},
{
"name": "https://github.com/gogs/gogs/pull/8332",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8332"
},
{
"name": "https://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-89mr-xqfv-758m",
"discovery": "UNKNOWN"
},
"title": "Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52811",
"datePublished": "2026-06-24T20:31:38.233Z",
"dateReserved": "2026-06-08T18:11:06.659Z",
"dateUpdated": "2026-06-24T20:31:38.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52810 (GCVE-0-2026-52810)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:30 – Updated: 2026-06-24 20:32
VLAI
Title
Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8331 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/7c9cf53aca957… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST \u2026/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:32:09.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-wmfg-5p4h-5fw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-wmfg-5p4h-5fw3"
},
{
"name": "https://github.com/gogs/gogs/pull/8331",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8331"
},
{
"name": "https://github.com/gogs/gogs/commit/7c9cf53aca957959bcd98b0cc987d9901b7cb184",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/7c9cf53aca957959bcd98b0cc987d9901b7cb184"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-wmfg-5p4h-5fw3",
"discovery": "UNKNOWN"
},
"title": "Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52810",
"datePublished": "2026-06-24T20:30:41.637Z",
"dateReserved": "2026-06-08T18:02:19.732Z",
"dateUpdated": "2026-06-24T20:32:09.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52809 (GCVE-0-2026-52809)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:29 – Updated: 2026-06-24 20:29
VLAI
Title
Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.
Severity
6.8 (Medium)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-324",
"description": "CWE-324: Use of a Key Past its Expiration Date",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:29:29.701Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-5c3f-6486-3g7g",
"discovery": "UNKNOWN"
},
"title": "Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52809",
"datePublished": "2026-06-24T20:29:29.701Z",
"dateReserved": "2026-06-08T18:02:19.732Z",
"dateUpdated": "2026-06-24T20:29:29.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52808 (GCVE-0-2026-52808)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:27 – Updated: 2026-06-24 20:27
VLAI
Title
Gogs: Write-level collaborators can mutate admin-only repository settings via API
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.
Severity
7.1 (High)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8327 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/6283462119bd8… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints \u2014 PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync \u2014 are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode \u003e= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite \u003c AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync \u2014 none of which they are authorized to do. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:27:41.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52"
},
{
"name": "https://github.com/gogs/gogs/pull/8327",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8327"
},
{
"name": "https://github.com/gogs/gogs/commit/6283462119bd8894f1599d70339b5e823f99954a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/6283462119bd8894f1599d70339b5e823f99954a"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-268j-37xf-pp52",
"discovery": "UNKNOWN"
},
"title": "Gogs: Write-level collaborators can mutate admin-only repository settings via API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52808",
"datePublished": "2026-06-24T20:27:41.410Z",
"dateReserved": "2026-06-08T18:02:19.732Z",
"dateUpdated": "2026-06-24T20:27:41.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52816 (GCVE-0-2026-52816)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:26 – Updated: 2026-06-24 20:26
VLAI
Title
Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8326 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/dd1bd9837aa19… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes(\"data\") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:26:34.151Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-3w28-36p9-w929"
},
{
"name": "https://github.com/gogs/gogs/pull/8326",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8326"
},
{
"name": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/dd1bd9837aa196b3ed3a8ee21e5727b5d7a986a3"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-3w28-36p9-w929",
"discovery": "UNKNOWN"
},
"title": "Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52816",
"datePublished": "2026-06-24T20:26:34.151Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-24T20:26:34.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52807 (GCVE-0-2026-52807)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:25 – Updated: 2026-06-24 20:25
VLAI
Title
Gogs: DOM-based XSS via Milestone Name on New Issue Page
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8325 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/573eacdc65864… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go\u0027s default auto-escaping ({{.Name}}), which converts \u003c to \u0026lt; etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload. Semantic UI 2.4.2\u0027s dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery\u0027s .html() with the item\u0027s text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI\u0027s preserveHTML behavior. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:25:49.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vcm5-gvmp-78mp"
},
{
"name": "https://github.com/gogs/gogs/pull/8325",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8325"
},
{
"name": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/573eacdc658641487f8ad883da96b29ec8e2852d"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-vcm5-gvmp-78mp",
"discovery": "UNKNOWN"
},
"title": "Gogs: DOM-based XSS via Milestone Name on New Issue Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52807",
"datePublished": "2026-06-24T20:25:49.230Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:25:49.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52805 (GCVE-0-2026-52805)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:22 – Updated: 2026-06-24 20:22
VLAI
Title
Gogs: Migration Redirect Bypass Leads to Internal Repository Theft
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to a blocked internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository. This vulnerability is fixed in 0.14.3.
Severity
8.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8324 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/b9a0093e9cd1b… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to a blocked internal endpoint (e.g., 127.0.0.1), importing the internal repository\u0027s contents into an attacker-controlled repository. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:22:15.052Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-g2f5-gjr4-qjvm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-g2f5-gjr4-qjvm"
},
{
"name": "https://github.com/gogs/gogs/pull/8324",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8324"
},
{
"name": "https://github.com/gogs/gogs/commit/b9a0093e9cd1b2b3c7f42f9feca396dc772c4f1b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/b9a0093e9cd1b2b3c7f42f9feca396dc772c4f1b"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-g2f5-gjr4-qjvm",
"discovery": "UNKNOWN"
},
"title": "Gogs: Migration Redirect Bypass Leads to Internal Repository Theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52805",
"datePublished": "2026-06-24T20:22:15.052Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:22:15.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52806 (GCVE-0-2026-52806)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:21 – Updated: 2026-06-24 20:21
VLAI
Title
Gogs: RCE via git rebase --exec argument injection in pull request merge
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.
Severity
9.9 (Critical)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8301 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/a9dbafbfd8e10… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the \"Rebase before merging\" merge operation. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:21:07.650Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
},
{
"name": "https://github.com/gogs/gogs/pull/8301",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8301"
},
{
"name": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-qf6p-p7ww-cwr9",
"discovery": "UNKNOWN"
},
"title": "Gogs: RCE via git rebase --exec argument injection in pull request merge"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52806",
"datePublished": "2026-06-24T20:21:07.650Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:21:07.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52804 (GCVE-0-2026-52804)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:20 – Updated: 2026-06-24 20:20
VLAI
Title
Gogs: Privilege Escalation via Collaboration Access Mode Validation
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-193 - Off-by-one Error
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8227 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/1fdc9cc28e159… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193: Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:20:26.848Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j"
},
{
"name": "https://github.com/gogs/gogs/pull/8227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8227"
},
{
"name": "https://github.com/gogs/gogs/commit/1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-4565-r4x7-hg8j",
"discovery": "UNKNOWN"
},
"title": "Gogs: Privilege Escalation via Collaboration Access Mode Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52804",
"datePublished": "2026-06-24T20:20:26.848Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:20:26.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52799 (GCVE-0-2026-52799)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:19 – Updated: 2026-06-24 20:19
VLAI
Title
Gogs: Missing Authorization in Attachment Download
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.
In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.
Severity
7.5 (High)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.\nIn a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:19:32.370Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-p9f5-h3rx-j5qw",
"discovery": "UNKNOWN"
},
"title": "Gogs: Missing Authorization in Attachment Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52799",
"datePublished": "2026-06-24T20:19:32.370Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:19:32.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52801 (GCVE-0-2026-52801)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:18 – Updated: 2026-06-24 20:18
VLAI
Title
Gogs: Ability to import local repositories via Mirror Settings
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.
Severity
8.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8225 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/11e19f28b5c82… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:18:55.465Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5"
},
{
"name": "https://github.com/gogs/gogs/pull/8225",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8225"
},
{
"name": "https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-wv27-2vqp-j7g5",
"discovery": "UNKNOWN"
},
"title": "Gogs: Ability to import local repositories via Mirror Settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52801",
"datePublished": "2026-06-24T20:18:55.465Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:18:55.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52800 (GCVE-0-2026-52800)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:18 – Updated: 2026-06-24 20:18
VLAI
Title
Gogs: CSRF Leading to Organization Owner Takeover
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.
Severity
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8321 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/070df61ecd14c… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner\u2013equivalent privileges. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:18:11.110Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-pwx3-qcgw-vh7h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-pwx3-qcgw-vh7h"
},
{
"name": "https://github.com/gogs/gogs/pull/8321",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8321"
},
{
"name": "https://github.com/gogs/gogs/commit/070df61ecd14c75b0aca93090f860b87ab17ac19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/070df61ecd14c75b0aca93090f860b87ab17ac19"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-pwx3-qcgw-vh7h",
"discovery": "UNKNOWN"
},
"title": "Gogs: CSRF Leading to Organization Owner Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52800",
"datePublished": "2026-06-24T20:18:11.110Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:18:11.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52802 (GCVE-0-2026-52802)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:17 – Updated: 2026-06-24 20:17
VLAI
Title
Gogs: Open Redirect via redirect_to in Gogs
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.
Severity
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8322 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/c5da9631dc75f… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:17:19.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-xxhq-69mf-w8cr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xxhq-69mf-w8cr"
},
{
"name": "https://github.com/gogs/gogs/pull/8322",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8322"
},
{
"name": "https://github.com/gogs/gogs/commit/c5da9631dc75f692f313373ae229c4d47ba6517f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/c5da9631dc75f692f313373ae229c4d47ba6517f"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-xxhq-69mf-w8cr",
"discovery": "UNKNOWN"
},
"title": "Gogs: Open Redirect via redirect_to in Gogs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52802",
"datePublished": "2026-06-24T20:17:19.805Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:17:19.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52814 (GCVE-0-2026-52814)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:15 – Updated: 2026-06-24 20:15
VLAI
Title
Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8335 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/7da9cda314054… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:15:51.513Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-xp79-5mx3-jx52",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xp79-5mx3-jx52"
},
{
"name": "https://github.com/gogs/gogs/pull/8335",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8335"
},
{
"name": "https://github.com/gogs/gogs/commit/7da9cda314054501e1a7938a9c4d7896f331b884",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/7da9cda314054501e1a7938a9c4d7896f331b884"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-xp79-5mx3-jx52",
"discovery": "UNKNOWN"
},
"title": "Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52814",
"datePublished": "2026-06-24T20:15:51.513Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-24T20:15:51.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52798 (GCVE-0-2026-52798)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:14 – Updated: 2026-06-24 20:14
VLAI
Title
Gogs: Stored XSS in `.ipynb` Preview
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3.
Severity
8.9 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8319 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/17b168b11ca75… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked() on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can be regenerated. As a result, when a victim views an attacker-crafted .ipynb file and clicks the link, arbitrary JavaScript is executed in the Gogs origin, leading to a click-based Stored XSS. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:14:13.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-jq8v-rmf6-65jw"
},
{
"name": "https://github.com/gogs/gogs/pull/8319",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8319"
},
{
"name": "https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/17b168b11ca759a7550e1f4bbd68bbde14db7785"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-jq8v-rmf6-65jw",
"discovery": "UNKNOWN"
},
"title": "Gogs: Stored XSS in `.ipynb` Preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52798",
"datePublished": "2026-06-24T20:14:13.965Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:14:13.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52796 (GCVE-0-2026-52796)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:13 – Updated: 2026-06-24 20:13
VLAI
Title
Gogs: DoS in rendering issue index pattern
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, "}") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, \"}\") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:13:11.884Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-4j89-2c4f-44c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-4j89-2c4f-44c6"
}
],
"source": {
"advisory": "GHSA-4j89-2c4f-44c6",
"discovery": "UNKNOWN"
},
"title": "Gogs: DoS in rendering issue index pattern"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52796",
"datePublished": "2026-06-24T20:13:11.884Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:13:11.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47267 (GCVE-0-2026-47267)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:09 – Updated: 2026-06-24 20:09
VLAI
Title
Gogs: SSRF in webhook deliveries
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.
Severity
8.3 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8263 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/199cf4fd5bbe4… | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:09:02.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g"
},
{
"name": "https://github.com/gogs/gogs/pull/8263",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8263"
},
{
"name": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018"
}
],
"source": {
"advisory": "GHSA-c4v7-xg93-qf8g",
"discovery": "UNKNOWN"
},
"title": "Gogs: SSRF in webhook deliveries"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47267",
"datePublished": "2026-06-24T20:09:02.854Z",
"dateReserved": "2026-05-18T23:03:37.229Z",
"dateUpdated": "2026-06-24T20:09:02.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25119 (GCVE-0-2026-25119)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:07 – Updated: 2026-06-24 20:07
VLAI
Title
Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8264 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/0089c4c8e5b8d… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:07:32.497Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv"
},
{
"name": "https://github.com/gogs/gogs/pull/8264",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8264"
},
{
"name": "https://github.com/gogs/gogs/commit/0089c4c8e5b8d99eb6e5c8727f8f40d765f1f58a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/0089c4c8e5b8d99eb6e5c8727f8f40d765f1f58a"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-w6j9-vw59-27wv",
"discovery": "UNKNOWN"
},
"title": "Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25119",
"datePublished": "2026-06-24T20:07:32.497Z",
"dateReserved": "2026-01-29T14:03:42.539Z",
"dateUpdated": "2026-06-24T20:07:32.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52795 (GCVE-0-2026-52795)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:06 – Updated: 2026-06-24 20:06
VLAI
Title
Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Summary
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
Severity
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/commit/d61caa3676fde… | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker\u0027s dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:06:15.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2"
},
{
"name": "https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0"
}
],
"source": {
"advisory": "GHSA-v8w7-f6gc-cqc2",
"discovery": "UNKNOWN"
},
"title": "Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52795",
"datePublished": "2026-06-24T20:06:15.058Z",
"dateReserved": "2026-06-08T18:02:19.731Z",
"dateUpdated": "2026-06-24T20:06:15.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64719 (GCVE-0-2025-64719)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:03 – Updated: 2026-06-24 20:03
VLAI
Title
Gogs: Denial of Service in repository/wiki file listing web pages
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.
Severity
4.9 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:03:07.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj"
}
],
"source": {
"advisory": "GHSA-3qq3-668m-v9mj",
"discovery": "UNKNOWN"
},
"title": "Gogs: Denial of Service in repository/wiki file listing web pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64719",
"datePublished": "2026-06-24T20:03:07.239Z",
"dateReserved": "2025-11-10T14:07:42.922Z",
"dateUpdated": "2026-06-24T20:03:07.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52815 (GCVE-0-2026-52815)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:01 – Updated: 2026-06-24 20:01
VLAI
Title
Gogs: Unauthenticated Organization Teams Information Disclosure via API
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:01:03.050Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56"
}
],
"source": {
"advisory": "GHSA-744x-3838-5r56",
"discovery": "UNKNOWN"
},
"title": "Gogs: Unauthenticated Organization Teams Information Disclosure via API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52815",
"datePublished": "2026-06-24T20:01:03.050Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-24T20:01:03.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26196 (GCVE-0-2026-26196)
Vulnerability from nvd – Published: 2026-03-05 18:49 – Updated: 2026-03-06 18:08
VLAI
Title
Gogs: Access tokens get exposed through URL params in API requests
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-598 - Use of GET Request Method With Sensitive Query Strings
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8177 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/295bfba72993c… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:07:57.384250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:08:07.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:49:19.540Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc"
},
{
"name": "https://github.com/gogs/gogs/pull/8177",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8177"
},
{
"name": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-x9p5-w45c-7ffc",
"discovery": "UNKNOWN"
},
"title": "Gogs: Access tokens get exposed through URL params in API requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26196",
"datePublished": "2026-03-05T18:49:19.540Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-03-06T18:08:07.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26276 (GCVE-0-2026-26276)
Vulnerability from nvd – Published: 2026-03-05 18:51 – Updated: 2026-03-07 04:55
VLAI
Title
Gogs: DOM-based XSS via milestone selection
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8178 | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T04:55:33.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository\u2019s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:51:13.530Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c"
},
{
"name": "https://github.com/gogs/gogs/pull/8178",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8178"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-vgjm-2cpf-4g7c",
"discovery": "UNKNOWN"
},
"title": "Gogs: DOM-based XSS via milestone selection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26276",
"datePublished": "2026-03-05T18:51:13.530Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-03-07T04:55:33.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26022 (GCVE-0-2026-26022)
Vulnerability from nvd – Published: 2026-03-05 18:34 – Updated: 2026-03-10 03:55
VLAI
Title
Gogs: Stored XSS via data URI in issue comments
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Severity
8.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8174 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/441c64d7bd889… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26022",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T03:55:24.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application\u0027s HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:34:12.843Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j"
},
{
"name": "https://github.com/gogs/gogs/pull/8174",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8174"
},
{
"name": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-xrcr-gmf5-2r8j",
"discovery": "UNKNOWN"
},
"title": "Gogs: Stored XSS via data URI in issue comments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26022",
"datePublished": "2026-03-05T18:34:12.843Z",
"dateReserved": "2026-02-09T21:36:29.555Z",
"dateUpdated": "2026-03-10T03:55:24.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25921 (GCVE-0-2026-25921)
Vulnerability from nvd – Published: 2026-03-05 18:36 – Updated: 2026-03-06 18:10
VLAI
Title
Gogs: Cross-repository LFS object overwrite via missing content hash verification
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8166 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/81ee8836445ac… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25921",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:10:40.475842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:10:49.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:36:30.692Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"
},
{
"name": "https://github.com/gogs/gogs/pull/8166",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8166"
},
{
"name": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-cj4v-437j-jq4c",
"discovery": "UNKNOWN"
},
"title": "Gogs: Cross-repository LFS object overwrite via missing content hash verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25921",
"datePublished": "2026-03-05T18:36:30.692Z",
"dateReserved": "2026-02-09T16:22:17.785Z",
"dateUpdated": "2026-03-06T18:10:49.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26194 (GCVE-0-2026-26194)
Vulnerability from nvd – Published: 2026-03-05 18:38 – Updated: 2026-03-06 18:09
VLAI
Title
Gogs: Release tag option injection in release deletion
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8175 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/a000f0c7a632a… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:09:29.479182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:09:38.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there\u0027s a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:38:38.860Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm"
},
{
"name": "https://github.com/gogs/gogs/pull/8175",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8175"
},
{
"name": "https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-v9vm-r24h-6rqm",
"discovery": "UNKNOWN"
},
"title": "Gogs: Release tag option injection in release deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26194",
"datePublished": "2026-03-05T18:38:38.860Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-03-06T18:09:38.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26195 (GCVE-0-2026-26195)
Vulnerability from nvd – Published: 2026-03-05 18:40 – Updated: 2026-03-06 18:08
VLAI
Title
Gogs: Stored XSS in branch and wiki views through author and committer names
Summary
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8176 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/ac21150a53bef… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:08:41.703910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:08:49.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:40:31.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j"
},
{
"name": "https://github.com/gogs/gogs/pull/8176",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8176"
},
{
"name": "https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/ac21150a53bef3a3061f4da787ab193a8d68ecfc"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
}
],
"source": {
"advisory": "GHSA-vgvf-m4fw-938j",
"discovery": "UNKNOWN"
},
"title": "Gogs: Stored XSS in branch and wiki views through author and committer names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26195",
"datePublished": "2026-03-05T18:40:31.249Z",
"dateReserved": "2026-02-11T19:56:24.813Z",
"dateUpdated": "2026-03-06T18:08:49.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}