Gogs
by Gogs
Source repositories
CVEs (66)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15193 | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | ||
| CVE-2018-16409 | Hig | 0.56 | 8.6 | 0.01 | Sep 3, 2018 | In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF. | ||
| CVE-2026-52813 | cri | 0.52 | — | 0.01 | Jun 23, 2026 | ### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By… | ||
| CVE-2026-52811 | cri | 0.52 | — | 0.00 | Jun 23, 2026 | Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`… | ||
| CVE-2026-52806 | cri | 0.52 | — | 0.01 | Jun 23, 2026 | # Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git… | ||
| CVE-2026-52812 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new… | ||
| CVE-2026-52810 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details … | ||
| CVE-2026-52805 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone… | ||
| CVE-2026-52801 | hig | 0.38 | — | 0.01 | Jun 23, 2026 | ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is… | ||
| CVE-2026-52800 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to… | ||
| CVE-2026-52799 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed… | ||
| CVE-2026-52798 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links… | ||
| CVE-2026-25119 | hig | 0.38 | — | 0.01 | Jun 22, 2026 | ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can… | ||
| CVE-2026-52797 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed… | ||
| CVE-2025-47943 | Med | 0.34 | 6.3 | 0.00 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable… | ||
| CVE-2026-52816 | med | 0.19 | — | 0.01 | Jun 23, 2026 | ## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`… | ||
| CVE-2026-52815 | med | 0.19 | — | 0.02 | Jun 23, 2026 | ## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at… | ||
| CVE-2026-52814 | med | 0.19 | — | 0.01 | Jun 23, 2026 | The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write… | ||
| CVE-2026-52809 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification… | ||
| CVE-2026-52802 | med | 0.19 | — | 0.01 | Jun 23, 2026 | ### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are… |
- risk 0.57cvss 8.8epss 0.01
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.
- risk 0.56cvss 8.6epss 0.01
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.
- risk 0.52cvss —epss 0.01
### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By…
- risk 0.52cvss —epss 0.00
Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`…
- risk 0.52cvss —epss 0.01
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git…
- risk 0.38cvss —epss 0.00
Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…
- risk 0.38cvss —epss 0.00
### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details …
- risk 0.38cvss —epss 0.00
# Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone…
- risk 0.38cvss —epss 0.01
### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…
- risk 0.38cvss —epss 0.00
## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…
- risk 0.38cvss —epss 0.00
## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…
- risk 0.38cvss —epss 0.00
# Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…
- risk 0.38cvss —epss 0.01
## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can…
- risk 0.38cvss —epss 0.00
**Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…
- risk 0.34cvss 6.3epss 0.00
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable…
- risk 0.19cvss —epss 0.01
## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`…
- risk 0.19cvss —epss 0.02
## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at…
- risk 0.19cvss —epss 0.01
The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write…
- risk 0.19cvss —epss 0.00
## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…
- risk 0.19cvss —epss 0.01
### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are…
Page 1 of 4