Gogs
by Gogs
Source repositories
CVEs (66)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-64719 | med | 0.19 | — | 0.00 | Jun 22, 2026 | ### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. … | ||
| CVE-2025-8110 | 0.11 | — | 0.77 | KEV | Dec 10, 2025 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | ||
| CVE-2020-15867 | 0.10 | — | 0.88 | Oct 16, 2020 | The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the… | |||
| CVE-2024-44625 | 0.07 | — | 0.15 | Nov 15, 2024 | Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. | |||
| CVE-2018-18925 | 0.07 | — | 0.32 | Nov 4, 2018 | Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. | |||
| CVE-2024-39931 | 0.01 | — | 0.51 | Jul 4, 2024 | Gogs through 0.13.0 allows deletion of internal files. | |||
| CVE-2022-2024 | 0.01 | — | 0.98 | Feb 25, 2023 | OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. | |||
| CVE-2026-52795 | 0.00 | — | 0.00 | Jun 24, 2026 | Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the… | |||
| CVE-2026-26276 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This… | |||
| CVE-2026-26196 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2. | |||
| CVE-2026-26195 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2. | |||
| CVE-2026-26194 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.… | |||
| CVE-2026-25921 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version… | |||
| CVE-2026-26022 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated… | |||
| CVE-2026-25229 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI… | |||
| CVE-2026-25242 | 0.00 | — | 0.01 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments… | |||
| CVE-2026-25232 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,… | |||
| CVE-2026-25120 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying… | |||
| CVE-2026-24135 | 0.00 | — | 0.01 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the… | |||
| CVE-2026-23633 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. |
- risk 0.19cvss —epss 0.00
### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. …
- risk 0.11cvss —epss 0.77
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
- CVE-2020-15867Oct 16, 2020risk 0.10cvss —epss 0.88
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the…
- CVE-2024-44625Nov 15, 2024risk 0.07cvss —epss 0.15
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
- CVE-2018-18925Nov 4, 2018risk 0.07cvss —epss 0.32
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
- CVE-2024-39931Jul 4, 2024risk 0.01cvss —epss 0.51
Gogs through 0.13.0 allows deletion of internal files.
- CVE-2022-2024Feb 25, 2023risk 0.01cvss —epss 0.98
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
- CVE-2026-52795Jun 24, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the…
- CVE-2026-26276Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This…
- CVE-2026-26196Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
- CVE-2026-26195Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
- CVE-2026-26194Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.…
- CVE-2026-25921Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version…
- CVE-2026-26022Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated…
- CVE-2026-25229Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI…
- CVE-2026-25242Feb 19, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments…
- CVE-2026-25232Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,…
- CVE-2026-25120Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying…
- CVE-2026-24135Feb 6, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the…
- CVE-2026-23633Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Page 2 of 4