VYPR

Vendor CVEs

Gogs

All CVEs

66 total · sorted by risk
  • CVE-2018-15193HigAug 8, 2018
    risk 0.57cvss 8.8epss 0.01

    A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.

  • CVE-2018-16409HigSep 3, 2018
    risk 0.56cvss 8.6epss 0.01

    In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.

  • CVE-2026-52813criJun 23, 2026
    risk 0.52cvss epss 0.01

    ### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By…

  • CVE-2026-52811criJun 23, 2026
    risk 0.52cvss epss 0.00

    Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`…

  • CVE-2026-52806criJun 23, 2026
    risk 0.52cvss epss 0.01

    # Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git…

  • CVE-2026-52812higJun 23, 2026
    risk 0.38cvss epss 0.00

    Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…

  • CVE-2026-52810higJun 23, 2026
    risk 0.38cvss epss 0.00

    ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details …

  • CVE-2026-52805higJun 23, 2026
    risk 0.38cvss epss 0.00

    # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone…

  • CVE-2026-52801higJun 23, 2026
    risk 0.38cvss epss 0.01

    ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…

  • CVE-2026-52800higJun 23, 2026
    risk 0.38cvss epss 0.00

    ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…

  • CVE-2026-52799higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…

  • CVE-2026-52798higJun 22, 2026
    risk 0.38cvss epss 0.00

    # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…

  • CVE-2026-25119higJun 22, 2026
    risk 0.38cvss epss 0.01

    ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can…

  • CVE-2026-52797higJun 16, 2026
    risk 0.38cvss epss 0.00

    **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…

  • CVE-2025-47943MedJun 24, 2025
    risk 0.34cvss 6.3epss 0.00

    Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable…

  • CVE-2026-52816medJun 23, 2026
    risk 0.19cvss epss 0.01

    ## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`…

  • CVE-2026-52815medJun 23, 2026
    risk 0.19cvss epss 0.02

    ## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at…

  • CVE-2026-52814medJun 23, 2026
    risk 0.19cvss epss 0.01

    The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write…

  • CVE-2026-52809medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…

  • CVE-2026-52802medJun 23, 2026
    risk 0.19cvss epss 0.01

    ### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are…

  • CVE-2025-64719medJun 22, 2026
    risk 0.19cvss epss 0.00

    ### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. …

  • CVE-2025-8110KEVDec 10, 2025
    risk 0.11cvss epss 0.77

    Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

  • CVE-2020-15867Oct 16, 2020
    risk 0.10cvss epss 0.88

    The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the…

  • CVE-2024-44625Nov 15, 2024
    risk 0.07cvss epss 0.15

    Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.

  • CVE-2018-18925Nov 4, 2018
    risk 0.07cvss epss 0.32

    Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.

  • CVE-2024-39931Jul 4, 2024
    risk 0.01cvss epss 0.51

    Gogs through 0.13.0 allows deletion of internal files.

  • CVE-2022-2024Feb 25, 2023
    risk 0.01cvss epss 0.98

    OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.

  • CVE-2026-52795Jun 24, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the…

  • CVE-2026-26276Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This…

  • CVE-2026-26196Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

  • CVE-2026-26195Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

  • CVE-2026-26194Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.…

  • CVE-2026-25921Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version…

  • CVE-2026-26022Mar 5, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated…

  • CVE-2026-25229Feb 19, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI…

  • CVE-2026-25242Feb 19, 2026
    risk 0.00cvss epss 0.01

    Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments…

  • CVE-2026-25232Feb 19, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,…

  • CVE-2026-25120Feb 19, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying…

  • CVE-2026-24135Feb 6, 2026
    risk 0.00cvss epss 0.01

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the…

  • CVE-2026-23633Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

  • CVE-2026-23632Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()…

  • CVE-2026-22592Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and…

  • CVE-2025-64175Feb 6, 2026
    risk 0.00cvss epss 0.00

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g.,…

  • CVE-2025-64111Feb 6, 2026
    risk 0.00cvss epss 0.01

    Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and…

  • CVE-2024-56731Jun 24, 2025
    risk 0.00cvss epss 0.01

    Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands…

  • CVE-2024-55947Dec 23, 2024
    risk 0.00cvss epss 0.75

    Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

  • CVE-2024-54148Dec 23, 2024
    risk 0.00cvss epss 0.01

    Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.

  • CVE-2022-1884Nov 15, 2024
    risk 0.00cvss epss 0.02

    A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the…

  • CVE-2024-39932Jul 4, 2024
    risk 0.00cvss epss 0.17

    Gogs through 0.13.0 allows argument injection during the previewing of changes.

  • CVE-2024-39930Jul 4, 2024
    risk 0.00cvss epss 0.07

    The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…

Page 1 of 2