Moderate severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026
Gogs has arbitrary file read/write via path traversal in Git hook editing
CVE-2026-23633
Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.4 | 0.13.4 |
Affected products
1Patches
14894629903f9repo: validate Git server hook name for editing
1 file changed · +23 −4
internal/route/repo/setting.go+23 −4 modified@@ -578,13 +578,27 @@ func SettingsGitHooks(c *context.Context) { c.Success(tmplRepoSettingsGithooks) } +func isValidHookName(name git.HookName) bool { + for _, h := range git.ServerSideHooks { + if h == name { + return true + } + } + return false +} + func SettingsGitHooksEdit(c *context.Context) { c.Data["Title"] = c.Tr("repo.settings.githooks") c.Data["PageIsSettingsGitHooks"] = true c.Data["RequireSimpleMDE"] = true - name := c.Params(":name") - hook, err := c.Repo.GitRepo.Hook("custom_hooks", git.HookName(name)) + name := git.HookName(c.Params(":name")) + if !isValidHookName(name) { + c.NotFound() + return + } + + hook, err := c.Repo.GitRepo.Hook("custom_hooks", name) if err != nil { c.NotFoundOrError(osutil.NewError(err), "get hook") return @@ -594,8 +608,13 @@ func SettingsGitHooksEdit(c *context.Context) { } func SettingsGitHooksEditPost(c *context.Context) { - name := c.Params(":name") - hook, err := c.Repo.GitRepo.Hook("custom_hooks", git.HookName(name)) + name := git.HookName(c.Params(":name")) + if !isValidHookName(name) { + c.NotFound() + return + } + + hook, err := c.Repo.GitRepo.Hook("custom_hooks", name) if err != nil { c.NotFoundOrError(osutil.NewError(err), "get hook") return
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mrph-w4hh-gx3gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23633ghsaADVISORY
- github.com/gogs/gogs/commit/4894629903f9508fe85567c44f68804f008f1655ghsaWEB
- github.com/gogs/gogs/releases/tag/v0.13.4ghsaWEB
- github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.