gogs
Products: gogs
26.4
Score
21
CVEs
1
Active
20
PoC
1
KEV
#98
Rank
Period:
Product:
| CVE ID | Published | CVSS | Exploit | KEV | AC | PR | Auto | Score(hover) | Affected Products | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2026-25119 | 2026-06-24 | 7.7v4.0 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. |
| CVE-2026-47267 | 2026-06-24 | 8.3v3.1 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is |
| CVE-2026-52795 | 2026-06-24 | 4.3v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead |
| CVE-2026-52797 | 2026-06-24 | 8.5v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of t |
| CVE-2026-52799 | 2026-06-24 | 7.5v3.1 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we c |
| CVE-2026-52801 | 2026-06-24 | 8.1v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress f |
| CVE-2026-52806 | 2026-06-24 | 9.9v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before mer |
| CVE-2026-52808 | 2026-06-24 | 7.1v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent oper |
| CVE-2026-52810 | 2026-06-24 | 7.1v4.0 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should |
| CVE-2026-52811 | 2026-06-24 | 9.0v4.0 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — U |
| CVE-2026-52812 | 2026-06-24 | 7.1v4.0 | POC | — | Low | Low | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on di |
| CVE-2026-52813 | 2026-06-24 | 10.0v3.1 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary loca |
| CVE-2026-52814 | 2026-06-24 | 5.5v4.0 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new gorou |
| CVE-2026-52815 | 2026-06-24 | 5.5v4.0 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route gr |
| CVE-2026-25921 | 2026-03-05 | 9.3v3.1 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2. |
| CVE-2025-64111 | 2026-02-06 | 9.3v4.0 | POC | — | Low | None | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. |
| CVE-2026-22592 | 2026-02-06 | 6.5v3.1 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. |
| CVE-2026-24135 | 2026-02-06 | 7.2v4.0 | POC | — | Low | Low | no | 0.0 | gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating t |
| CVE-2025-8110 | 2025-12-10 | 8.7v4.0 | ACTIVE | Low | Low | no | 26.4 | gogs | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | |
| CVE-2024-54148 | 2024-12-23 | 8.7v4.0 | POC | — | Low | Low | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
| CVE-2024-55947 | 2024-12-23 | 8.7v4.0 | POC | — | Low | Low | YES | 0.0 | gogs | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
Each CVE: 10 pts base (Active only), boosted by:
KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3