Gogs.Io Gogs vulnerabilities

CVE-2026-25921 [CRITICAL] CWE-345 Gogs: Cross-repository LFS object overwrite via missing content hash verification Gogs: Cross-repository LFS object overwrite via missing content hash verification ### Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. ### Details Gogs store all LFS objects in the same place, no isolation between different repositories. (repo id not concatenat

CVE-2026-26276 [HIGH] CWE-79 Gogs: DOM-based XSS via milestone selection Gogs: DOM-based XSS via milestone selection # Summary It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s **Milestone name**, and when another user selects that Milestone on the **New Issue** page (`/issues/new`), a **DOM-Based XSS** is triggered. # Impact * Theft of information accessible in the victim’s session. * Extraction of CSRF tokens and submission of st

CVE-2026-26022 [HIGH] CWE-79 Gogs: Stored XSS via data URI in issue comments Gogs: Stored XSS via data URI in issue comments ### Summary A Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. ### Details The vulnerability is located in `internal/markup/sanitizer.go`. The applicati

CVE-2026-26194 [HIGH] CWE-88 Gogs: Release tag option injection in release deletion Gogs: Release tag option injection in release deletion ### Summary There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process. ### Affected Component - internal/database/release.go `process.ExecDir(..., "git", "tag", "-d", rel.TagName)` ### Details `re

CVE-2026-26195 [MEDIUM] CWE-79 Gogs: Stored XSS in branch and wiki views through author and committer names Gogs: Stored XSS in branch and wiki views through author and committer names ### Summary Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs. ### Details `safe()` still turns off escaping: - internal/template/template.go - `func safe(raw string) template.HTML { return template.HTML(raw) }` B

CVE-2026-26196 [MEDIUM] CWE-598 Gogs: Access tokens get exposed through URL params in API requests Gogs: Access tokens get exposed through URL params in API requests ### Summary The Gogs API still accepts tokens in URL parameters such as `token` and `access_token`, which can leak through logs, browser history, and referrers. ### Details A static review shows that the API still checks tokens in the URL query before looking at headers: - internal/context/auth.go reads `c.Query("token")` - int

CVE-2026-25232 [HIGH] CWE-863 Gogs has a Protected Branch Deletion Bypass in Web Interface Gogs has a Protected Branch Deletion Bypass in Web Interface ## Summary An access control bypass vulnerability in Gogs web interface allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability enables privilege escalation from Write to Admin

CVE-2026-25229 [MEDIUM] CWE-284 Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs ### **Summary** A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The `UpdateLabel` function in the Web UI (`internal/route/repo/issue.go`) fails to verify that the label being modified belo

CVE-2026-25120 [MEDIUM] CWE-639 Gogs Allows Cross-Repository Comment Deletion via DeleteComment Gogs Allows Cross-Repository Comment Deletion via DeleteComment # IDOR: Cross-Repository Comment Deletion via DeleteComment ## Summary The `POST /:owner/:repo/issues/comments/:id/delete` endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypa

CVE-2026-25242 [MEDIUM] CWE-862 Unauthenticated File Upload in Gogs Unauthenticated File Upload in Gogs Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research ## Summary Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/att

CVE-2025-64111 [CRITICAL] CWE-78 Gogs's update .git/config file allows remote command execution Gogs's update .git/config file allows remote command execution ### Summary Due to the insufficient patch for the https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7, it's still possible to update files in the `.git` directory and achieve remote command execution. ### Details Function `UpdateRepoFile` security check under some if conditions. While UpdateRepoFile call in API router wi

CVE-2025-64175 [HIGH] CWE-287 Gogs Vulnerable to 2FA Bypass via Recovery Code Gogs Vulnerable to 2FA Bypass via Recovery Code Contact OpenAI Security Research at [email protected] to engage on this report. See PDF report for easier reading. Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs’ 2FA recovery code validation does not sco

CVE-2026-24135 [HIGH] CWE-22 Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update ### Summary A Path Traversal vulnerability exists in the `updateWikiPage` function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the `old_title` parameter in the wiki editing form. ### Vulnerability

CVE-2026-23633 [MEDIUM] CWE-22 Gogs has arbitrary file read/write via Path Traversal in Git hook editing Gogs has arbitrary file read/write via Path Traversal in Git hook editing ## Vulnerability Description In the endpoint: ``` /username/reponame/settings/hooks/git/:name ``` the `:name` parameter: * Is URL-decoded by **macaron routing**, allowing decoded slashes (`/`) * Is then passed directly to: ```go git.Repository.Hook("custom_hooks", name) ``` which internally resolves the path as:

[MEDIUM] CWE-1395 Gogs vulnerable to Stored XSS via Mermaid diagrams Gogs vulnerable to Stored XSS via Mermaid diagrams ### Summary Stored XSS via mermaid diagrams due to usage of vulnerable renderer library ### Details Gogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0) Currently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least

CVE-2026-23632 [MEDIUM] CWE-862 Gogs user can update repository content with read-only permission Gogs user can update repository content with read-only permission ## Vulnerability Description The endpoint `PUT /repos/:owner/:repo/contents/*` does not require write permissions and allows access with **read permission only** via `repoAssignment()`. After passing the permission check, `PutContents()` invokes `UpdateRepoFile()`, which results in: * Commit creation * Execution of `git push` As

CVE-2026-22592 [MEDIUM] CWE-862 Gogs has a Denial of Service issue Gogs has a Denial of Service issue ### Summary An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. ### Details If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits. https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L333-

CVE-2025-65852 [MEDIUM] CWE-284 Gogs has authorization bypass in repository deletion API Gogs has authorization bypass in repository deletion API ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read a

CVE-2025-8110 [HIGH] CWE-22 Gogs vulnerable to a bypass of CVE-2024-55947 Gogs vulnerable to a bypass of CVE-2024-55947 Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

CVE-2025-47943 [HIGH] CWE-79 Gogs XSS allowed by stored call in PDF renderer Gogs XSS allowed by stored call in PDF renderer ### Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. ### Details Gogs Version: ``` docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB ``` Application version: `0.14.0+dev` Local setup using: ```bash # Pull image from Docker Hub. docker pull gogs/gogs # Create local directory