Gogs
by Gogs
Source repositories
CVEs (66)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-23632 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()… | |||
| CVE-2026-22592 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and… | |||
| CVE-2025-64175 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g.,… | |||
| CVE-2025-64111 | 0.00 | — | 0.01 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and… | |||
| CVE-2024-56731 | 0.00 | — | 0.01 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands… | |||
| CVE-2024-55947 | 0.00 | — | 0.75 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | |||
| CVE-2024-54148 | 0.00 | — | 0.01 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | |||
| CVE-2022-1884 | 0.00 | — | 0.02 | Nov 15, 2024 | A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the… | |||
| CVE-2024-39932 | 0.00 | — | 0.17 | Jul 4, 2024 | Gogs through 0.13.0 allows argument injection during the previewing of changes. | |||
| CVE-2024-39930 | 0.00 | — | 0.07 | Jul 4, 2024 | The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server… | |||
| CVE-2024-39933 | 0.00 | — | 0.01 | Jul 4, 2024 | Gogs through 0.13.0 allows argument injection during the tagging of a new release. | |||
| CVE-2022-32174 | 0.00 | — | 0.58 | Oct 11, 2022 | In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover. | |||
| CVE-2022-1986 | 0.00 | — | 0.04 | Jun 9, 2022 | OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. | |||
| CVE-2022-31038 | 0.00 | — | 0.01 | Jun 8, 2022 | Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which… | |||
| CVE-2022-1993 | 0.00 | — | 0.51 | Jun 8, 2022 | Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. | |||
| CVE-2022-1992 | 0.00 | — | 0.02 | Jun 8, 2022 | Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. | |||
| CVE-2022-1285 | 0.00 | — | 0.01 | Jun 1, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. | |||
| CVE-2021-32546 | 0.00 | — | 0.02 | May 31, 2022 | Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that… | |||
| CVE-2022-1464 | 0.00 | — | 0.01 | May 5, 2022 | Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account . | |||
| CVE-2022-0415 | 0.00 | — | 0.65 | Mar 21, 2022 | Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6. |
- CVE-2026-23632Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()…
- CVE-2026-22592Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and…
- CVE-2025-64175Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g.,…
- CVE-2025-64111Feb 6, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and…
- CVE-2024-56731Jun 24, 2025risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands…
- CVE-2024-55947Dec 23, 2024risk 0.00cvss —epss 0.75
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-54148Dec 23, 2024risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2022-1884Nov 15, 2024risk 0.00cvss —epss 0.02
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the…
- CVE-2024-39932Jul 4, 2024risk 0.00cvss —epss 0.17
Gogs through 0.13.0 allows argument injection during the previewing of changes.
- CVE-2024-39930Jul 4, 2024risk 0.00cvss —epss 0.07
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…
- CVE-2024-39933Jul 4, 2024risk 0.00cvss —epss 0.01
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
- CVE-2022-32174Oct 11, 2022risk 0.00cvss —epss 0.58
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
- CVE-2022-1986Jun 9, 2022risk 0.00cvss —epss 0.04
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-31038Jun 8, 2022risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which…
- CVE-2022-1993Jun 8, 2022risk 0.00cvss —epss 0.51
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-1992Jun 8, 2022risk 0.00cvss —epss 0.02
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-1285Jun 1, 2022risk 0.00cvss —epss 0.01
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
- CVE-2021-32546May 31, 2022risk 0.00cvss —epss 0.02
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that…
- CVE-2022-1464May 5, 2022risk 0.00cvss —epss 0.01
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
- CVE-2022-0415Mar 21, 2022risk 0.00cvss —epss 0.65
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
Page 3 of 4