High severityCISA KEVNVD Advisory· Published Dec 10, 2025· Updated Feb 26, 2026
File overwrite in file update API in Gogs
CVE-2025-8110
Description
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | <= 0.13.3 | — |
Affected products
3- ghsa-coords2 versions
<= 0.13.3+ 1 more
- (no CPE)range: <= 0.13.3
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-mq8m-42gh-wq7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-8110ghsaADVISORY
- wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploitghsaWEB
- www.openwall.com/lists/oss-security/2025/12/11/3ghsaWEB
- www.openwall.com/lists/oss-security/2025/12/11/4ghsaWEB
- www.openwall.com/lists/oss-security/2026/01/17/4ghsaWEB
- www.openwall.com/lists/oss-security/2026/01/18/1ghsaWEB
- www.openwall.com/lists/oss-security/2026/01/18/2ghsaWEB
- github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6ghsaWEB
- github.com/gogs/gogs/pull/8078ghsaWEB
- github.com/gogs/gogs/pull/8082ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
3- Gogs patches critical zero-day enabling remote code executionBleepingComputer · Jun 8, 2026
- Gogs Zero-Day Exposes Servers to Remote Code ExecutionSecurityWeek · May 29, 2026
- New Gogs zero-day flaw lets hackers get remote code executionBleepingComputer · May 28, 2026