CVE-2026-26194
published 2026-03-05CVE-2026-26194: Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user…
PriorityP340high7.3CVSS 3.1
AVNACLPRLUIRSUCNIHAH
EPSS
0.43%
34.6th percentile
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs.io | gogs | >= 0 < 0.14.2 | 0.14.2 |
| gogs | gogs | < 0.14.2 | 0.14.2 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
ghsa·2026-06-23
CVE-2026-52806 [CRITICAL] CWE-77 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge
## Summary
Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command during the "Rebase before merging" merge operation.
## Severity
**Critical** - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
## Affected Versions
- **Gogs 0.14.2** (latest supported release)
- Gogs 0.15.0+dev (commit `b53d3162`, main branch as of 2026-03-16)
- All prior versions that support the "Rebase before merging" merge style
## Impact
This is a **privilege escalation from authenticated user
OSV
Gogs: Release tag option injection in release deletion in gogs.io/gogs
osv·2026-03-10
CVE-2026-26194 Gogs: Release tag option injection in release deletion in gogs.io/gogs
Gogs: Release tag option injection in release deletion in gogs.io/gogs
Gogs: Release tag option injection in release deletion in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.14.2.
GHSA
Gogs: Release tag option injection in release deletion
ghsa·2026-03-05
CVE-2026-26194 [HIGH] CWE-88 Gogs: Release tag option injection in release deletion
Gogs: Release tag option injection in release deletion
### Summary
There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.
### Affected Component
- internal/database/release.go
`process.ExecDir(..., "git", "tag", "-d", rel.TagName)`
### Details
`rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.
If the tag name begins with `-`, Git parses it as a flag.
The prior mitigation is incomplete. There is path sanitization in place during creation:
- internal/database/release.go
`r.TagName = strings.TrimLeft(r.TagName, "-")`
But it only covers one creation path and does not reliably protect
OSV
Gogs: Release tag option injection in release deletion
osv·2026-03-05
CVE-2026-26194 [HIGH] Gogs: Release tag option injection in release deletion
Gogs: Release tag option injection in release deletion
### Summary
There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.
### Affected Component
- internal/database/release.go
`process.ExecDir(..., "git", "tag", "-d", rel.TagName)`
### Details
`rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.
If the tag name begins with `-`, Git parses it as a flag.
The prior mitigation is incomplete. There is path sanitization in place during creation:
- internal/database/release.go
`r.TagName = strings.TrimLeft(r.TagName, "-")`
But it only covers one creation path and does not reliably protect
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Gogs patches critical zero-day enabling remote code execution
blogs_bleepingcomputer·2026-06-08
CVE-2024-39933 Gogs patches critical zero-day enabling remote code execution
## Gogs patches critical zero-day enabling remote code execution
## Sergiu Gatlan
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).
This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.
They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.
While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security resear
Rapid7
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
blogs_rapid7·2026-05-28
CVE-2024-39933 Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
## Overview
Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch.
The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_
Bleepingcomputer
New Gogs zero-day flaw lets hackers get remote code execution
blogs_bleepingcomputer·2026-05-28·CVSS 7.7
CVE-2024-39933 [HIGH] New Gogs zero-day flaw lets hackers get remote code execution
## New Gogs zero-day flaw lets hackers get remote code execution
## Sergiu Gatlan
An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers
Wiz
CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26196 [HIGH] CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26196 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
Source : NVD
## 6.9
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Gogs
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity MEDIUM No Fix Added at: Mar 08,
Wiz
CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-24135 [HIGH] CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24135 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 7.2
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages a
Wiz
CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25921 [CRITICAL] CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25921 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
Source : NVD
## 9.3
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity C
Wiz
CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22592 [MEDIUM] CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22592 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 6.5
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Sever
Wiz
CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26022 [HIGH] CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26022 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Source : NVD
## 5.4
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 8.7
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs
Wiz
CVE-2025-8110 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-8110 [HIGH] CVE-2025-8110 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8110 :
Gogs vulnerability analysis and mitigation
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
Source : NVD
## 8.7
Score
Published December 10, 2025
Severity HIGH
CNA Score 8.7
High-profile Vulnerability Yes
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.6
Exploitation Probability (EPSS) 21.1
Affected packages and libraries
gogs
cpe:2.3:a:gogits:gogs
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity HIGH No Fix Added at: Jan 14, 2026
GoLang Severity HIGH No Fix Added at: Dec 11, 2025
Homebrew Severity HIGH No Fix Added at: Jan 14, 2026
Nix Seve
Wiz
CVE-2026-25232 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25232 [HIGH] CVE-2026-25232 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25232 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of prote
Wiz
CVE-2026-26194 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26194 [HIGH] CVE-2026-26194 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26194 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Source : NVD
## 8.8
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15,
Wiz
CVE-2025-64175 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-64175 [HIGH] CVE-2025-64175 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64175 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Gogs
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2026-25242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25242 [MEDIUM] CVE-2026-25242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25242 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
Source : NVD
## 6.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit
Wiz
CVE-2025-64111 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-64111 [CRITICAL] CVE-2025-64111 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64111 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 9.3
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 44.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gogs.io/gogs
gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Se
Wiz
CVE-2026-23633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-23633 [MEDIUM] CVE-2026-23633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23633 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 6.5
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs.io/gogs
gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity MEDIUM No Fix Added at: Feb 18, 2026
GoLang Severity MEDIUM Has
Wiz
CVE-2026-26195 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26195 [HIGH] CVE-2026-26195 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26195 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
Source : NVD
## 6.9
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Gogs
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20 Severity MEDIUM No Fix Added a
Wiz
CVE-2026-26276 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26276 [HIGH] CVE-2026-26276 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26276 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
Source : NVD
## 5.4
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Gogs
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gogs
gogs.io/gogs
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.
Wiz
CVE-2026-25120 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-25120 [MEDIUM] CVE-2026-25120 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25120 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.
Source : NVD
## 5.1
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Gogs
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Rele
Wiz
CVE-2026-23632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-23632 [MEDIUM] CVE-2026-23632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23632 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Source : NVD
## 6.5
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gogs
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-25229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25229 [MEDIUM] CVE-2026-25229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25229 :
Gogs vulnerability analysis and mitigation
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.
Source :
2026-03-05
Published