Moderate severityNVD Advisory· Published Feb 19, 2026· Updated Feb 19, 2026
Gogs allows unauthenticated file uploads
CVE-2026-25242
Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.14.1 | 0.14.1 |
Affected products
3- ghsa-coords2 versions
< 0.14.1+ 1 more
- (no CPE)range: < 0.14.1
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-fc3h-92p8-h36fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25242ghsaADVISORY
- github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3ghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8128ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.1ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.