CVE-2024-39933
published 2024-07-04CVE-2024-39933: Gogs through 0.13.0 allows argument injection during the tagging of a new release.
PriorityP344high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.69%
48.1th percentile
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gogs_gogs | 0 – 0.13.0 | — |
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs.io | gogs | >= 0 < 0.13.1 | 0.13.1 |
| gogs | gogs | <= 0.13.0 | — |
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ghsa7.7HIGH
osv7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
ghsa·2026-06-23
CVE-2026-52806 [CRITICAL] CWE-77 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge
## Summary
Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command during the "Rebase before merging" merge operation.
## Severity
**Critical** - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
## Affected Versions
- **Gogs 0.14.2** (latest supported release)
- Gogs 0.15.0+dev (commit `b53d3162`, main branch as of 2026-03-16)
- All prior versions that support the "Rebase before merging" merge style
## Impact
This is a **privilege escalation from authenticated user
GHSA
Gogs allows argument Injection when tagging new releases
ghsa·2024-12-23·CVSS 7.7
CVE-2024-39933 [HIGH] CWE-88 Gogs allows argument Injection when tagging new releases
Gogs allows argument Injection when tagging new releases
### Impact
Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.
### Patches
Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-20
OSV
Gogs allows argument Injection when tagging new releases
osv·2024-12-23·CVSS 7.7
CVE-2024-39933 [HIGH] Gogs allows argument Injection when tagging new releases
Gogs allows argument Injection when tagging new releases
### Impact
Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.
### Patches
Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
### References
https://www.cve.org/CVERecord?id=CVE-20
OSV
Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs
osv·2024-07-09
CVE-2024-39933 Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs
Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs
Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs
OSV
Duplicate Advisory: Gogs allows argument injection during the tagging of a new release
osv·2024-07-04
CVE-2024-39933 [HIGH] Duplicate Advisory: Gogs allows argument injection during the tagging of a new release
Duplicate Advisory: Gogs allows argument injection during the tagging of a new release
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m27m-h5gj-wwmg. This link is maintained to preserve external references.
# Original Description
Gogs through 0.13.0 allows argument injection during the tagging of a new release. This vulnerability is still unfixed as of the time of this advisory being published.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Gogs patches critical zero-day enabling remote code execution
blogs_bleepingcomputer·2026-06-08
CVE-2024-39933 Gogs patches critical zero-day enabling remote code execution
## Gogs patches critical zero-day enabling remote code execution
## Sergiu Gatlan
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security resear
Rapid7
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
blogs_rapid7·2026-05-28
CVE-2024-39933 Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
## Overview
Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch.
The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_
Bleepingcomputer
New Gogs zero-day flaw lets hackers get remote code execution
blogs_bleepingcomputer·2026-05-28·CVSS 7.7
CVE-2024-39933 [HIGH] New Gogs zero-day flaw lets hackers get remote code execution
## New Gogs zero-day flaw lets hackers get remote code execution
## Sergiu Gatlan
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers
2024-07-04
Published