Critical severityNVD Advisory· Published Jul 4, 2024· Updated Aug 28, 2024
CVE-2024-39930
CVE-2024-39930
Description
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.1 | 0.13.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-vm62-9jw3-c8w3ghsaADVISORY
- github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3ghsaWEB
- www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1ghsaWEB
- www.vicarius.io/vsociety/posts/argument-injection-in-gogs-ssh-server-cve-2024-39930ghsaWEB
- github.com/gogs/gogs/releasesmitre
- www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/mitre
News mentions
3- Gogs patches critical zero-day enabling remote code executionBleepingComputer · Jun 8, 2026
- New Gogs zero-day flaw lets hackers get remote code executionBleepingComputer · May 28, 2026
- CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)Rapid7 Blog · May 28, 2026