CVE-2026-25921 — Insufficient Verification of Data Authenticity in Gogs

CWE-345 — Insufficient Verification of Data Authenticity5 documents4 sources

Severity

9.3CRITICALNVD

EPSS

0.0%

top 90.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedMar 5

Latest updateMar 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.2

▶Gogogs.io/gogs< 0.14.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs: Cross-repository LFS object overwrite via missing content hash verification in gogs.io/gogs↗2026-03-10

▶

GHSA

Gogs: Cross-repository LFS object overwrite via missing content hash verification↗2026-03-05

▶

OSV

Gogs: Cross-repository LFS object overwrite via missing content hash verification↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶