CVE-2026-22592
published 2026-02-06CVE-2026-22592: Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.34%
25.4th percentile
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.13.4 | 0.13.4 |
| gogs | gogs | < 0.14.0+dev | 0.14.0+dev |
| gogs | gogs | < 0.13.4 | 0.13.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs has a Denial of Service issue in gogs.io/gogs
osv·2026-02-17
CVE-2026-22592 Gogs has a Denial of Service issue in gogs.io/gogs
Gogs has a Denial of Service issue in gogs.io/gogs
Gogs has a Denial of Service issue in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.13.4.
OSV
Gogs has a Denial of Service issue
osv·2026-02-06
CVE-2026-22592 [MEDIUM] Gogs has a Denial of Service issue
Gogs has a Denial of Service issue
### Summary
An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash.
### Details
If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits.
https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L333-L337
if `err != nil` `m` is alwasa `nil`
https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L269-L278
### PoC
Spam mirror-sync on repo and delete this repo
code python spam mirror-sync
```py
import requests
url = "http://gogs.lan:3000/superuser/gobypass403/settings"
headers = {
"Cookie": "lang=en-US; i_like_gogs=
GHSA
Gogs has a Denial of Service issue
ghsa·2026-02-06
CVE-2026-22592 [MEDIUM] CWE-862 Gogs has a Denial of Service issue
Gogs has a Denial of Service issue
### Summary
An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash.
### Details
If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits.
https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L333-L337
if `err != nil` `m` is alwasa `nil`
https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L269-L278
### PoC
Spam mirror-sync on repo and delete this repo
code python spam mirror-sync
```py
import requests
url = "http://gogs.lan:3000/superuser/gobypass403/settings"
headers = {
"Cookie": "lang=en-US; i_like_gogs=
No detection rules found.
No public exploits indexed.
2026-02-06
Published