VYPR

Gogs

by Gogs

Source repositories

CVEs (66)

  • CVE-2018-15193HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.

  • CVE-2018-16409HigSep 3, 2018
    risk 0.56cvss 8.6epss 0.01

    In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.

  • CVE-2026-52813criJun 23, 2026
    risk 0.52cvss epss 0.01

    ### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By…

  • CVE-2026-52811criJun 23, 2026
    risk 0.52cvss epss 0.00

    Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`…

  • CVE-2026-52806criJun 23, 2026
    risk 0.52cvss epss 0.01

    # Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git…

  • CVE-2026-52812higJun 23, 2026
    risk 0.38cvss epss 0.00

    Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…

  • CVE-2026-52810higJun 23, 2026
    risk 0.38cvss epss 0.00

    ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details …

  • CVE-2026-52805higJun 23, 2026
    risk 0.38cvss epss 0.00

    # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone…

  • CVE-2026-52801higJun 23, 2026
    risk 0.38cvss epss 0.01

    ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…

  • CVE-2026-52800higJun 23, 2026
    risk 0.38cvss epss 0.00

    ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…

  • CVE-2026-52799higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…

  • CVE-2026-52798higJun 22, 2026
    risk 0.38cvss epss 0.00

    # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…

  • CVE-2026-25119higJun 22, 2026
    risk 0.38cvss epss 0.01

    ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can…

  • CVE-2026-52797higJun 16, 2026
    risk 0.38cvss epss 0.00

    **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…

  • CVE-2025-47943MedJun 24, 2025
    risk 0.34cvss 6.3epss 0.00

    Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable…

  • CVE-2026-52816medJun 23, 2026
    risk 0.19cvss epss 0.01

    ## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`…

  • CVE-2026-52815medJun 23, 2026
    risk 0.19cvss epss 0.02

    ## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at…

  • CVE-2026-52814medJun 23, 2026
    risk 0.19cvss epss 0.01

    The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write…

  • CVE-2026-52809medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…

  • CVE-2026-52802medJun 23, 2026
    risk 0.19cvss epss 0.01

    ### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are…

Page 1 of 4