CVE-2026-25242
published 2026-02-19CVE-2026-25242: Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.1th percentile
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.14.1 | 0.14.1 |
| gogs | gogs | < 0.14.1 | 0.14.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unauthenticated File Upload in Gogs in gogs.io/gogs
osv·2026-02-23
CVE-2026-25242 Unauthenticated File Upload in Gogs in gogs.io/gogs
Unauthenticated File Upload in Gogs in gogs.io/gogs
Unauthenticated File Upload in Gogs in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.14.1.
OSV
Unauthenticated File Upload in Gogs
osv·2026-02-17
CVE-2026-25242 [MEDIUM] Unauthenticated File Upload in Gogs
Unauthenticated File Upload in Gogs
Security Advisory:Unauthenticated File Upload in Gogs
Vulnerability Type: Unauthenticated File Upload
Date: Aug 5, 2025
Discoverer: OpenAI Security Research
## Summary
Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.
## Affected Versions
- Software: [Gogs](https://github.com/gogs/gogs/tree/main)
- Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca
GHSA
Unauthenticated File Upload in Gogs
ghsa·2026-02-17
CVE-2026-25242 [MEDIUM] CWE-862 Unauthenticated File Upload in Gogs
Unauthenticated File Upload in Gogs
Security Advisory:Unauthenticated File Upload in Gogs
Vulnerability Type: Unauthenticated File Upload
Date: Aug 5, 2025
Discoverer: OpenAI Security Research
## Summary
Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.
## Affected Versions
- Software: [Gogs](https://github.com/gogs/gogs/tree/main)
- Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca
No detection rules found.
No public exploits indexed.
2026-02-19
Published