cbcvebase.

Gogs.Io Gogs vulnerabilities

73 known vulnerabilities affecting gogs.io/gogs.

Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1

Vulnerabilities

Page 1 of 4
CVE-2025-8110P1HIGHCVSS 8.7KEVPoC≥ 0, ≤ 0.13.32025-12-10
CVE-2025-8110 [HIGH] CWE-22 Gogs vulnerable to a bypass of CVE-2024-55947 Gogs vulnerable to a bypass of CVE-2024-55947 Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
ghsaosv
CVE-2026-52813P1CRITICALExploited≥ 0, < 0.14.32026-06-23
CVE-2026-52813 [CRITICAL] CWE-23 Gogs has Path Traversal in organization name that results in RCE through Git hooks Gogs has Path Traversal in organization name that results in RCE through Git hooks ### Summary Organization names containing path traversal sequences (`../`) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested struct
ghsa
CVE-2026-52806P1CRITICALExploited≥ 0, < 0.14.32026-06-23
CVE-2026-52806 [CRITICAL] CWE-77 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge # Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge ## Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command duri
ghsa
CVE-2024-55947P1HIGHPoC≥ 0, < 0.13.12024-12-23
CVE-2024-55947 [HIGH] CWE-22 Path Traversal in file update API in gogs Path Traversal in file update API in gogs ### Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. ### Patches Writing files outside repository Git directory has been prohibited via the repository file update API (https://github.com/gogs/gogs/pull/7859). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround availabl
ghsaosv
CVE-2022-0415P2HIGHPoC≥ 0, < 0.12.62022-03-28
CVE-2022-0415 [HIGH] CWE-20 Unrestricted Upload of File with Dangerous Type in Gogs Unrestricted Upload of File with Dangerous Type in Gogs ### Impact The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file uploads
ghsaosv
CVE-2024-39930P2CRITICALCVSS 9.9PoC≥ 0, < 0.13.12024-12-23
CVE-2024-39930 [CRITICAL] CWE-88 Gogs has an argument Injection in the built-in SSH server Gogs has an argument Injection in the built-in SSH server ### Impact When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same in
ghsaosv
CVE-2022-2024P2CRITICAL≥ 0, < 0.12.112023-02-28
CVE-2022-2024 [CRITICAL] CWE-78 Gogs OS Command Injection vulnerability Gogs OS Command Injection vulnerability ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) on case-in
ghsaosv
CVE-2014-8682P2HIGHPoC≥ 0.3.1, < 0.5.82021-06-29
CVE-2014-8682 [HIGH] CWE-89 SQL Injection in Gogs SQL Injection in Gogs Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
ghsaosv
CVE-2024-39931P2CRITICALCVSS 9.9≥ 0, < 0.13.12024-12-23
CVE-2024-39931 [CRITICAL] CWE-552 Gogs allows deletion of internal files Gogs allows deletion of internal files ### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.
ghsaosv
CVE-2024-39932P2CRITICALCVSS 9.9≥ 0, < 0.13.12024-12-23
CVE-2024-39932 [CRITICAL] CWE-94 Gogs allows argument injection during the previewing of changes Gogs allows argument injection during the previewing of changes ### Impact Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance. ### Patches Unintended Git options has been ignored for di
ghsaosv
CVE-2014-8681P3MEDIUMPoC≥ 0.3.1, < 0.5.82021-06-29
CVE-2014-8681 [MEDIUM] CWE-89 SQL Injection in gogs.io/gogs SQL Injection in gogs.io/gogs SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
ghsaosv
CVE-2026-52815P3MEDIUMPoC≥ 0, < 0.14.32026-06-23
CVE-2026-52815 [MEDIUM] CWE-200 Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API ## Summary Gogs has an unauthenticated information disclosure vulnerability. The `GET /api/v1/orgs/:orgname/teams` endpoint at `internal/route/api/v1/org_team.go:8` returns all teams for any organization without requiring authentication. The route group at `internal/route/api/v1/api.go:380-385`
ghsa
CVE-2024-56731P2CRITICALCVSS 9.9≥ 0, < 0.13.32025-06-24
CVE-2024-56731 [CRITICAL] CWE-552 Gogs allows deletion of internal files which leads to remote command execution Gogs allows deletion of internal files which leads to remote command execution ### Summary Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution. ### Details In the patch for CVE-2024-39931, the following check is added: https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b5
ghsaosv
CVE-2022-1993P2HIGH≥ 0, < 0.12.92022-06-08
CVE-2022-1993 [HIGH] CWE-22 Path Traversal in Git HTTP endpoints in Gogs Path Traversal in Git HTTP endpoints in Gogs ### Impact The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected. ### Patches Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds N/A ### References https://huntr.dev/bounties/22f9c074-cf60-4c67-b5c4-72fdf312609d/ ### For mor
ghsaosv
CVE-2022-32174P3CRITICAL≥ 0.6.5, ≤ 0.12.102022-10-11
CVE-2022-32174 [CRITICAL] CWE-79 Gogs vulnerable to Cross-site Scripting Gogs vulnerable to Cross-site Scripting In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
ghsaosv
CVE-2026-25242P2MEDIUM≥ 0, < 0.14.12026-02-17
CVE-2026-25242 [MEDIUM] CWE-862 Unauthenticated File Upload in Gogs Unauthenticated File Upload in Gogs Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research ## Summary Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/att
ghsaosv
CVE-2024-44625P2HIGH≥ 0, < 0.13.22024-11-15
CVE-2024-44625 [HIGH] CWE-22 Remote Code Execution in Gogs Remote Code Execution in Gogs Gogs <0.13.2 is vulnerable to symbolic link path traversal that enables remote code execution via the editFilePost function of internal/route/repo/editor.go.
ghsaosv
CVE-2022-1884P2CRITICAL≥ 0, < 0.12.82022-06-02
CVE-2022-1884 [CRITICAL] CWE-77 OS Command Injection in gogs OS Command Injection in gogs ### Impact The malicious user is able to upload a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All Windows installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file uploads are prohibited to its `.git` directory. Us
ghsaosv
CVE-2026-25232P2HIGH≥ 0, < 0.14.12026-02-17
CVE-2026-25232 [HIGH] CWE-863 Gogs has a Protected Branch Deletion Bypass in Web Interface Gogs has a Protected Branch Deletion Bypass in Web Interface ## Summary An access control bypass vulnerability in Gogs web interface allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability enables privilege escalation from Write to Admin
ghsaosv
CVE-2022-1986P2CRITICAL≥ 0, < 0.12.92022-06-08
CVE-2022-1986 [CRITICAL] CWE-78 OS Command Injection in file editor in Gogs OS Command Injection in file editor in Gogs ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches File de
ghsaosv
Gogs.Io Gogs vulnerabilities | cvebase