Vendor CVEs
Gogs
All CVEs
66 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15193 | Hig | 0.57 | 8.8 | 0.01 | Aug 8, 2018 | A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link. | ||
| CVE-2018-16409 | Hig | 0.56 | 8.6 | 0.01 | Sep 3, 2018 | In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF. | ||
| CVE-2026-52813 | cri | 0.52 | — | 0.01 | Jun 23, 2026 | ### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By… | ||
| CVE-2026-52811 | cri | 0.52 | — | 0.00 | Jun 23, 2026 | Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`… | ||
| CVE-2026-52806 | cri | 0.52 | — | 0.01 | Jun 23, 2026 | # Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git… | ||
| CVE-2026-52812 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new… | ||
| CVE-2026-52810 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details … | ||
| CVE-2026-52805 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone… | ||
| CVE-2026-52801 | hig | 0.38 | — | 0.01 | Jun 23, 2026 | ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is… | ||
| CVE-2026-52800 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to… | ||
| CVE-2026-52799 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed… | ||
| CVE-2026-52798 | hig | 0.38 | — | 0.00 | Jun 22, 2026 | # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links… | ||
| CVE-2026-25119 | hig | 0.38 | — | 0.01 | Jun 22, 2026 | ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can… | ||
| CVE-2026-52797 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed… | ||
| CVE-2025-47943 | Med | 0.34 | 6.3 | 0.00 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable… | ||
| CVE-2026-52816 | med | 0.19 | — | 0.01 | Jun 23, 2026 | ## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`… | ||
| CVE-2026-52815 | med | 0.19 | — | 0.02 | Jun 23, 2026 | ## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at… | ||
| CVE-2026-52814 | med | 0.19 | — | 0.01 | Jun 23, 2026 | The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write… | ||
| CVE-2026-52809 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification… | ||
| CVE-2026-52802 | med | 0.19 | — | 0.01 | Jun 23, 2026 | ### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are… | ||
| CVE-2025-64719 | med | 0.19 | — | 0.00 | Jun 22, 2026 | ### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. … | ||
| CVE-2025-8110 | 0.11 | — | 0.77 | KEV | Dec 10, 2025 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | ||
| CVE-2020-15867 | 0.10 | — | 0.88 | Oct 16, 2020 | The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the… | |||
| CVE-2024-44625 | 0.07 | — | 0.15 | Nov 15, 2024 | Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. | |||
| CVE-2018-18925 | 0.07 | — | 0.32 | Nov 4, 2018 | Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. | |||
| CVE-2024-39931 | 0.01 | — | 0.51 | Jul 4, 2024 | Gogs through 0.13.0 allows deletion of internal files. | |||
| CVE-2022-2024 | 0.01 | — | 0.98 | Feb 25, 2023 | OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. | |||
| CVE-2026-52795 | 0.00 | — | 0.00 | Jun 24, 2026 | Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the… | |||
| CVE-2026-26276 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This… | |||
| CVE-2026-26196 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2. | |||
| CVE-2026-26195 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2. | |||
| CVE-2026-26194 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.… | |||
| CVE-2026-25921 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version… | |||
| CVE-2026-26022 | 0.00 | — | 0.00 | Mar 5, 2026 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated… | |||
| CVE-2026-25229 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI… | |||
| CVE-2026-25242 | 0.00 | — | 0.01 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments… | |||
| CVE-2026-25232 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,… | |||
| CVE-2026-25120 | 0.00 | — | 0.00 | Feb 19, 2026 | Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying… | |||
| CVE-2026-24135 | 0.00 | — | 0.01 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the… | |||
| CVE-2026-23633 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | |||
| CVE-2026-23632 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()… | |||
| CVE-2026-22592 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and… | |||
| CVE-2025-64175 | 0.00 | — | 0.00 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g.,… | |||
| CVE-2025-64111 | 0.00 | — | 0.01 | Feb 6, 2026 | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and… | |||
| CVE-2024-56731 | 0.00 | — | 0.01 | Jun 24, 2025 | Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands… | |||
| CVE-2024-55947 | 0.00 | — | 0.75 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | |||
| CVE-2024-54148 | 0.00 | — | 0.01 | Dec 23, 2024 | Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | |||
| CVE-2022-1884 | 0.00 | — | 0.02 | Nov 15, 2024 | A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the… | |||
| CVE-2024-39932 | 0.00 | — | 0.17 | Jul 4, 2024 | Gogs through 0.13.0 allows argument injection during the previewing of changes. | |||
| CVE-2024-39930 | 0.00 | — | 0.07 | Jul 4, 2024 | The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server… |
- risk 0.57cvss 8.8epss 0.01
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted issue / link.
- risk 0.56cvss 8.6epss 0.01
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.
- risk 0.52cvss —epss 0.01
### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By…
- risk 0.52cvss —epss 0.00
Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles`…
- risk 0.52cvss —epss 0.01
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git…
- risk 0.38cvss —epss 0.00
Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…
- risk 0.38cvss —epss 0.00
### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details …
- risk 0.38cvss —epss 0.00
# Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone…
- risk 0.38cvss —epss 0.01
### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…
- risk 0.38cvss —epss 0.00
## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…
- risk 0.38cvss —epss 0.00
## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…
- risk 0.38cvss —epss 0.00
# Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…
- risk 0.38cvss —epss 0.01
## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can…
- risk 0.38cvss —epss 0.00
**Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…
- risk 0.34cvss 6.3epss 0.00
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable…
- risk 0.19cvss —epss 0.01
## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchemes("data")`…
- risk 0.19cvss —epss 0.02
## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at…
- risk 0.19cvss —epss 0.01
The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write…
- risk 0.19cvss —epss 0.00
## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…
- risk 0.19cvss —epss 0.01
### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are…
- risk 0.19cvss —epss 0.00
### Summary A malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. …
- risk 0.11cvss —epss 0.77
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
- CVE-2020-15867Oct 16, 2020risk 0.10cvss —epss 0.88
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the…
- CVE-2024-44625Nov 15, 2024risk 0.07cvss —epss 0.15
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
- CVE-2018-18925Nov 4, 2018risk 0.07cvss —epss 0.32
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
- CVE-2024-39931Jul 4, 2024risk 0.01cvss —epss 0.51
Gogs through 0.13.0 allows deletion of internal files.
- CVE-2022-2024Feb 25, 2023risk 0.01cvss —epss 0.98
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
- CVE-2026-52795Jun 24, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the…
- CVE-2026-26276Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This…
- CVE-2026-26196Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
- CVE-2026-26195Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
- CVE-2026-26194Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process.…
- CVE-2026-25921Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version…
- CVE-2026-26022Mar 5, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated…
- CVE-2026-25229Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI…
- CVE-2026-25242Feb 19, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments…
- CVE-2026-25232Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,…
- CVE-2026-25120Feb 19, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying…
- CVE-2026-24135Feb 6, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the…
- CVE-2026-23633Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
- CVE-2026-23632Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents()…
- CVE-2026-22592Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and…
- CVE-2025-64175Feb 6, 2026risk 0.00cvss —epss 0.00
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g.,…
- CVE-2025-64111Feb 6, 2026risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and…
- CVE-2024-56731Jun 24, 2025risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands…
- CVE-2024-55947Dec 23, 2024risk 0.00cvss —epss 0.75
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-54148Dec 23, 2024risk 0.00cvss —epss 0.01
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2022-1884Nov 15, 2024risk 0.00cvss —epss 0.02
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the…
- CVE-2024-39932Jul 4, 2024risk 0.00cvss —epss 0.17
Gogs through 0.13.0 allows argument injection during the previewing of changes.
- CVE-2024-39930Jul 4, 2024risk 0.00cvss —epss 0.07
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server…
Page 1 of 2