Gogs.Io Gogs vulnerabilities
73 known vulnerabilities affecting gogs.io/gogs.
Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1
Vulnerabilities
Page 2 of 4
CVE-2025-64111P2CRITICAL≥ 0, < 0.13.42026-02-06
CVE-2025-64111 [CRITICAL] CWE-78 Gogs's update .git/config file allows remote command execution
Gogs's update .git/config file allows remote command execution
### Summary
Due to the insufficient patch for the https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7, it's still possible to update files in the `.git` directory and achieve remote command execution.
### Details
Function `UpdateRepoFile` security check under some if conditions. While UpdateRepoFile call in API router wi
ghsaosv
CVE-2022-0870P3MEDIUMPoC≥ 0, < 0.12.52022-03-12
CVE-2022-0870 [MEDIUM] CWE-918 SSRF in repository migration
SSRF in repository migration
Gogs is a self-hosted Git service. The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected. Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev. Gogs should be ran in its own private network until users can u
ghsaosv
CVE-2025-64175P3HIGH≥ 0.11.19, < 0.13.42026-02-06
CVE-2025-64175 [HIGH] CWE-287 Gogs Vulnerable to 2FA Bypass via Recovery Code
Gogs Vulnerable to 2FA Bypass via Recovery Code
Contact OpenAI Security Research at [email protected] to engage on this report.
See PDF report for easier reading.
Security Advisory: 2FA Bypass via Recovery Code
Vulnerability Type: 2FA Authentication Bypass
Affected Software: GOGS
Severity: High
Date: Aug 5, 2025
Discoverer: OpenAI Security Research
Summary
Gogs’ 2FA recovery code validation does not sco
ghsaosv
CVE-2021-32546P3CRITICAL≥ 0, < 0.12.82022-06-02
CVE-2021-32546 [CRITICAL] CWE-78 OS Command Injection in gogs
OS Command Injection in gogs
### Impact
The malicious user is able to update a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected.
### Patches
Repository file updates are prohibited to its `.git` directory. Users sho
ghsaosv
CVE-2026-25119P3HIGH≥ 0, < 0.14.32026-06-22
CVE-2026-25119 [HIGH] CWE-290 Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers
Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers
## Summary
When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header
ghsa
CVE-2024-54148P3HIGH≥ 0, < 0.13.12024-12-23
CVE-2024-54148 [HIGH] CWE-22 Remote Command Execution in file editing in gogs
Remote Command Execution in file editing in gogs
### Impact
The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.
### Patches
Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
### Workarounds
No viable worka
ghsaosv
CVE-2026-52811P3CRITICAL≥ 0, < 0.14.32026-06-23
CVE-2026-52811 [CRITICAL] CWE-22 Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Summary
`(*Repository).UploadRepoFiles` checks for symlinks only on the **leaf** of the upload target (`osx.IsSymlink(targetPath)`). The siblings `UpdateRepoFile`, `DeleteRepoFile`, and `GetDiffPreview` use `hasSymlinkInPath`, which lstats every component — `UploadRepoFiles` is the lone outlier. An attac
ghsa
CVE-2026-24135P3HIGH≥ 0, < 0.13.42026-02-06
CVE-2026-24135 [HIGH] CWE-22 Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update
Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update
### Summary
A Path Traversal vulnerability exists in the `updateWikiPage` function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the `old_title` parameter in the wiki editing form.
### Vulnerability
ghsaosv
CVE-2026-52805P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52805 [HIGH] Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft
Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft
# Migration URL validation bypass via HTTP redirect to blocked internal endpoints
## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone --mirror` follows HTTP redirects. An authen
ghsa
CVE-2026-25921P3CRITICAL≥ 0, < 0.14.22026-03-05
CVE-2026-25921 [CRITICAL] CWE-345 Gogs: Cross-repository LFS object overwrite via missing content hash verification
Gogs: Cross-repository LFS object overwrite via missing content hash verification
### Summary
Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers.
### Details
Gogs store all LFS objects in the same place, no isolation between different repositories. (repo id not concatenat
ghsaosv
CVE-2018-15192P3HIGH≥ 0, < 0.12.02022-05-14
CVE-2018-15192 [HIGH] CWE-918 Gogs and Gitea SSRF Vulnerability
Gogs and Gitea SSRF Vulnerability
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
ghsaosv
CVE-2026-52797P3HIGH≥ 0, < 0.14.02026-06-16
CVE-2026-52797 [HIGH] CWE-22 Gogs: Overwriting critical files results in a denial of service
Gogs: Overwriting critical files results in a denial of service
**Vulnerability type:** Path Traversal
**Impact:** DoS
**Exploitation prerequisite:** authorized user
**Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write t
ghsa
CVE-2026-52798P3HIGH≥ 0, < 0.14.32026-06-22
CVE-2026-52798 [HIGH] CWE-79 Gogs has Stored XSS in `.ipynb` Preview
Gogs has Stored XSS in `.ipynb` Preview
# Summary
Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links containing schemes such as `javascript:` can be regenerated.
As a result, when a victim views an attacker-crafted `.i
ghsa
CVE-2026-47267P3MEDIUMCVSS 6.5≥ 0, < 0.14.32026-06-22
CVE-2026-47267 [MEDIUM] CWE-918 Gogs has SSRF in webhook deliveries
Gogs has SSRF in webhook deliveries
### Summary
The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.
This was already communicated in the initial report but it looks like there was a bit of a miscommunication.
### Details
By creating a webook pointing to any URL that
ghsa
CVE-2026-52800P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52800 [HIGH] CWE-352 Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
## Summary
In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**.
If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the **Owners** team. As a result, the attacker gains **organizati
ghsa
CVE-2018-20303P3CRITICALCVSS 9.8≥ 0, < 0.11.82.12182022-05-14
CVE-2018-20303 [CRITICAL] CWE-22 Gogs Directory Traversal
Gogs Directory Traversal
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
ghsaosv
CVE-2022-0871P3HIGH≥ 0, < 0.12.52022-03-14
CVE-2022-0871 [HIGH] CWE-862 Gogs vulnerable to improper PAM authorization handling
Gogs vulnerable to improper PAM authorization handling
### Impact
Expired PAM accounts and accounts with expired passwords are continued to be seen as valid. Installations use PAM as authentication sources are affected.
### Patches
Expired PAM accounts and accounts with expired passwords are no longer being seen as valid. Users should upgrade to 0.12.5 or the latest 0.13.0+dev.
### Workarounds
In addition t
ghsaosv
CVE-2026-52801P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52801 [HIGH] CWE-20 Gogs has the ability to import local repositories via Mirror Settings
Gogs has the ability to import local repositories via Mirror Settings
### Summary
The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.
### Details
Here is the function implementation of the secure New Migrati
ghsa
CVE-2024-39933P3HIGHCVSS 7.7≥ 0, < 0.13.12024-12-23
CVE-2024-39933 [HIGH] CWE-88 Gogs allows argument Injection when tagging new releases
Gogs allows argument Injection when tagging new releases
### Impact
Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQL
ghsaosv
CVE-2019-14544P3CRITICAL≥ 0, < 0.11.912021-05-18
CVE-2019-14544 [CRITICAL] CWE-200 Insecure Permissions in Gogs
Insecure Permissions in Gogs
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
ghsaosv