Go modules package
gogs.io/gogs
pkg:golang/gogs.io/gogs
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26276 | — | <= 0.13.3 | — | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue h | ||
| CVE-2026-26196 | — | <= 0.13.3 | — | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2. | ||
| CVE-2026-26195 | — | <= 0.13.3 | — | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2. | ||
| CVE-2026-26194 | — | < 0.14.2 | 0.14.2 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. Th | ||
| CVE-2026-25921 | — | < 0.14.2 | 0.14.2 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2 | ||
| CVE-2026-26022 | — | < 0.14.2 | 0.14.2 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users | ||
| CVE-2026-25229 | — | < 0.14.0 | 0.14.0 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (inte | ||
| CVE-2026-25242 | — | < 0.14.1 | 0.14.1 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments a | ||
| CVE-2026-25232 | — | < 0.14.1 | 0.14.1 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, comp | ||
| CVE-2026-25120 | — | < 0.14.0 | 0.14.0 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying ar | ||
| CVE-2025-65852 | med | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration o | |
| CVE-2026-24135 | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the serv | ||
| CVE-2026-23633 | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||
| CVE-2026-23632 | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() in | ||
| CVE-2026-22592 | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0 | ||
| CVE-2025-64175 | — | >= 0.11.19, < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from th | ||
| CVE-2025-64111 | — | < 0.13.4 | 0.13.4 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0 | ||
| CVE-2025-8110 | — | KEV | <= 0.13.3 | — | Dec 10, 2025 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | |
| CVE-2025-47943 | Med | 6.3 | < 0.13.3-0.20250608224432-110117b2e5e5 | 0.13.3-0.20250608224432-110117b2e5e5 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable an | |
| CVE-2024-56731 | — | < 0.13.3 | 0.13.3 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on |
- CVE-2026-26276Mar 5, 2026affected <= 0.13.3
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue h
- CVE-2026-26196Mar 5, 2026affected <= 0.13.3
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
- CVE-2026-26195Mar 5, 2026affected <= 0.13.3
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
- CVE-2026-26194Mar 5, 2026affected < 0.14.2fixed 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. Th
- CVE-2026-25921Mar 5, 2026affected < 0.14.2fixed 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2
- CVE-2026-26022Mar 5, 2026affected < 0.14.2fixed 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users
- CVE-2026-25229Feb 19, 2026affected < 0.14.0fixed 0.14.0
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (inte
- CVE-2026-25242Feb 19, 2026affected < 0.14.1fixed 0.14.1
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments a
- CVE-2026-25232Feb 19, 2026affected < 0.14.1fixed 0.14.1
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, comp
- CVE-2026-25120Feb 19, 2026affected < 0.14.0fixed 0.14.0
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying ar
- affected < 0.13.4fixed 0.13.4
### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration o
- CVE-2026-24135Feb 6, 2026affected < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the serv
- CVE-2026-23633Feb 6, 2026affected < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
- CVE-2026-23632Feb 6, 2026affected < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() in
- CVE-2026-22592Feb 6, 2026affected < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0
- CVE-2025-64175Feb 6, 2026affected >= 0.11.19, < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from th
- CVE-2025-64111Feb 6, 2026affected < 0.13.4fixed 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0
- affected <= 0.13.3
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
- affected < 0.13.3-0.20250608224432-110117b2e5e5fixed 0.13.3-0.20250608224432-110117b2e5e5
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable an
- CVE-2024-56731Jun 24, 2025affected < 0.13.3fixed 0.13.3
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on
Page 1 of 3