cbcvebase.

Gogs.Io Gogs vulnerabilities

73 known vulnerabilities affecting gogs.io/gogs.

Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1

Vulnerabilities

Page 2 of 4
CVE-2025-64111P2CRITICAL≥ 0, < 0.13.42026-02-06
CVE-2025-64111 [CRITICAL] CWE-78 Gogs's update .git/config file allows remote command execution Gogs's update .git/config file allows remote command execution ### Summary Due to the insufficient patch for the https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7, it's still possible to update files in the `.git` directory and achieve remote command execution. ### Details Function `UpdateRepoFile` security check under some if conditions. While UpdateRepoFile call in API router wi
ghsaosv
CVE-2022-0870P3MEDIUMPoC≥ 0, < 0.12.52022-03-12
CVE-2022-0870 [MEDIUM] CWE-918 SSRF in repository migration SSRF in repository migration Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can u
ghsaosv
CVE-2025-64175P3HIGH≥ 0.11.19, < 0.13.42026-02-06
CVE-2025-64175 [HIGH] CWE-287 Gogs Vulnerable to 2FA Bypass via Recovery Code Gogs Vulnerable to 2FA Bypass via Recovery Code Contact OpenAI Security Research at [email protected] to engage on this report. See PDF report for easier reading. Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs’ 2FA recovery code validation does not sco
ghsaosv
CVE-2021-32546P3CRITICAL≥ 0, < 0.12.82022-06-02
CVE-2021-32546 [CRITICAL] CWE-78 OS Command Injection in gogs OS Command Injection in gogs ### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file updates are prohibited to its `.git` directory. Users sho
ghsaosv
CVE-2026-25119P3HIGH≥ 0, < 0.14.32026-06-22
CVE-2026-25119 [HIGH] CWE-290 Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header
ghsa
CVE-2024-54148P3HIGH≥ 0, < 0.13.12024-12-23
CVE-2024-54148 [HIGH] CWE-22 Remote Command Execution in file editing in gogs Remote Command Execution in file editing in gogs ### Impact The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. ### Patches Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable worka
ghsaosv
CVE-2026-52811P3CRITICAL≥ 0, < 0.14.32026-06-23
CVE-2026-52811 [CRITICAL] CWE-22 Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Summary `(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles` is the lone outlier. An attac
ghsa
CVE-2026-24135P3HIGH≥ 0, < 0.13.42026-02-06
CVE-2026-24135 [HIGH] CWE-22 Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update ### Summary A Path Traversal vulnerability exists in the `updateWikiPage` function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the `old_title` parameter in the wiki editing form. ### Vulnerability
ghsaosv
CVE-2026-52805P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52805 [HIGH] Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone --mirror` follows HTTP redirects. An authen
ghsa
CVE-2026-25921P3CRITICAL≥ 0, < 0.14.22026-03-05
CVE-2026-25921 [CRITICAL] CWE-345 Gogs: Cross-repository LFS object overwrite via missing content hash verification Gogs: Cross-repository LFS object overwrite via missing content hash verification ### Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. ### Details Gogs store all LFS objects in the same place, no isolation between different repositories. (repo id not concatenat
ghsaosv
CVE-2018-15192P3HIGH≥ 0, < 0.12.02022-05-14
CVE-2018-15192 [HIGH] CWE-918 Gogs and Gitea SSRF Vulnerability Gogs and Gitea SSRF Vulnerability An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
ghsaosv
CVE-2026-52797P3HIGH≥ 0, < 0.14.02026-06-16
CVE-2026-52797 [HIGH] CWE-22 Gogs: Overwriting critical files results in a denial of service Gogs: Overwriting critical files results in a denial of service **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write t
ghsa
CVE-2026-52798P3HIGH≥ 0, < 0.14.32026-06-22
CVE-2026-52798 [HIGH] CWE-79 Gogs has Stored XSS in `.ipynb` Preview Gogs has Stored XSS in `.ipynb` Preview # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links containing schemes such as `javascript:` can be regenerated. As a result, when a victim views an attacker-crafted `.i
ghsa
CVE-2026-47267P3MEDIUMCVSS 6.5≥ 0, < 0.14.32026-06-22
CVE-2026-47267 [MEDIUM] CWE-918 Gogs has SSRF in webhook deliveries Gogs has SSRF in webhook deliveries ### Summary The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This was already communicated in the initial report but it looks like there was a bit of a miscommunication. ### Details By creating a webook pointing to any URL that
ghsa
CVE-2026-52800P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52800 [HIGH] CWE-352 Gogs Vulnerable to CSRF Leading to Organization Owner Takeover Gogs Vulnerable to CSRF Leading to Organization Owner Takeover ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the **Owners** team. As a result, the attacker gains **organizati
ghsa
CVE-2018-20303P3CRITICALCVSS 9.8≥ 0, < 0.11.82.12182022-05-14
CVE-2018-20303 [CRITICAL] CWE-22 Gogs Directory Traversal Gogs Directory Traversal In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
ghsaosv
CVE-2022-0871P3HIGH≥ 0, < 0.12.52022-03-14
CVE-2022-0871 [HIGH] CWE-862 Gogs vulnerable to improper PAM authorization handling Gogs vulnerable to improper PAM authorization handling ### Impact Expired PAM accounts and accounts with expired passwords are continued to be seen as valid. Installations use PAM as authentication sources are affected. ### Patches Expired PAM accounts and accounts with expired passwords are no longer being seen as valid. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. ### Workarounds In addition t
ghsaosv
CVE-2026-52801P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52801 [HIGH] CWE-20 Gogs has the ability to import local repositories via Mirror Settings Gogs has the ability to import local repositories via Mirror Settings ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is the function implementation of the secure New Migrati
ghsa
CVE-2024-39933P3HIGHCVSS 7.7≥ 0, < 0.13.12024-12-23
CVE-2024-39933 [HIGH] CWE-88 Gogs allows argument Injection when tagging new releases Gogs allows argument Injection when tagging new releases ### Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQL
ghsaosv
CVE-2019-14544P3CRITICAL≥ 0, < 0.11.912021-05-18
CVE-2019-14544 [CRITICAL] CWE-200 Insecure Permissions in Gogs Insecure Permissions in Gogs routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
ghsaosv
Gogs.Io Gogs vulnerabilities | cvebase