CVE-2026-25242 — Missing Authorization in Gogs

CWE-862 — Missing Authorization5 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 73.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedFeb 19

Latest updateFeb 23

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-o…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.1

▶Gogogs.io/gogs< 0.14.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Unauthenticated File Upload in Gogs in gogs.io/gogs↗2026-02-23

▶

OSV

Unauthenticated File Upload in Gogs↗2026-02-17

▶

GHSA

Unauthenticated File Upload in Gogs↗2026-02-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25242 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶