⚠ Actively exploited

Added to CISA KEV on 2026-01-12. Federal agencies required to patch by 2026-02-02. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-8110 — Path Traversal in Gogs

CWE-22 — Path Traversal CWE-288 — Authentication Bypass Using an Alternate Path or Channel18 documents9 sources

Severity

8.7HIGHNVD

VulnCheck9.8

EPSS

19.9%

top 4.52%

CISA KEV

KEV

Added 2026-01-12

Due 2026-02-02

Exploit

PoC available

Public exploit / PoC exists

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedDec 10

KEV addedJan 12

KEV dueFeb 2

Latest updateFeb 24

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs0.13.3

▶Gogogs.io/gogs0.13.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs↗2025-12-15

▶

GHSA

Gogs vulnerable to a bypass of CVE-2024-55947↗2025-12-10

▶

OSV

Gogs vulnerable to a bypass of CVE-2024-55947↗2025-12-10

▶

VulnCheck

Gogs Path Traversal Vulnerability↗2025

▶

VulnCheck

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability↗2023

▶

💥Exploits & PoCs

Nuclei

Gogs <= 0.13.3 - Remote Code Execution

▶

📋Vendor Advisories

CISA

Gogs Path Traversal Vulnerability↗2026-01-12

▶

🕵️Threat Intelligence

Recorded Future

January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day↗2026-02-24

▶

Wiz

Crying Out Cloud Monthly Newsletter - January 2026 | Wiz↗2026-01-22

▶

Recorded Future

December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity↗2026-01-13

▶

Bleepingcomputer

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks↗2026-01-12

▶

Bleepingcomputer

Hackers exploit unpatched Gogs zero-day to breach 700 servers↗2025-12-11

▶