Github.Com Gogs Gogs vulnerabilities

5 known vulnerabilities affecting github.com/gogs_gogs.

Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH2

Vulnerabilities

Page 1 of 1
CVE-2025-47943HIGHCVSS 8.8≥ 0, < 0.13.3-0.20250608224432-110117b2e5e52025-06-26
CVE-2025-47943 [HIGH] CWE-79 Gogs XSS allowed by stored call in PDF renderer Gogs XSS allowed by stored call in PDF renderer ### Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. ### Details Gogs Version: ``` docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB ``` Application version: `0.14.0+dev` Local setup using: ```bash # Pull image from Docker Hub. docker pull gogs/gogs # Create local directory
ghsaosv
CVE-2024-39932CRITICAL≥ 0, ≤ 0.13.02024-07-04
CVE-2024-39932 [CRITICAL] Duplicate Advisory: Gogs allows argument injection during the previewing of changes Duplicate Advisory: Gogs allows argument injection during the previewing of changes # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9pp6-wq8c-3w2c. This link is maintained to preserve external references. # Original Description Gogs through 0.13.0 allows argument injection during the previewing of changes.
osv
CVE-2024-39931CRITICAL≥ 0, ≤ 0.13.02024-07-04
CVE-2024-39931 [CRITICAL] Duplicate Advisory: Gogs allows deletion of internal files Duplicate Advisory: Gogs allows deletion of internal files # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-ccqv-43vm-4f3w. This link is maintained to preserve external references. # Original Description Gogs through 0.13.0 allows deletion of internal files.
osv
CVE-2024-39930CRITICALCVSS 9.9PoC≥ 0, ≤ 0.13.02024-07-04
CVE-2024-39930 [CRITICAL] CWE-88 Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930 Duplicate Advisory: github.com/gogs/gogs affected by CVE-2024-39930 # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vm62-9jw3-c8w3. This link is maintained to preserve external references. # Original Description The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated
ghsaosv
CVE-2024-39933HIGH≥ 0, ≤ 0.13.02024-07-04
CVE-2024-39933 [HIGH] Duplicate Advisory: Gogs allows argument injection during the tagging of a new release Duplicate Advisory: Gogs allows argument injection during the tagging of a new release # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m27m-h5gj-wwmg. This link is maintained to preserve external references. # Original Description Gogs through 0.13.0 allows argument injection during the tagging of a new release. This vulnerability is still unfixed
osv