cbcvebase.

Gogs.Io Gogs vulnerabilities

73 known vulnerabilities affecting gogs.io/gogs.

Total CVEs
73
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
3
Severity breakdown
CRITICAL17HIGH29MEDIUM26LOW1

Vulnerabilities

Page 3 of 4
CVE-2026-52799P3HIGH≥ 0, < 0.14.32026-06-22
CVE-2026-52799 [HIGH] CWE-639 Gogs Missing Authorization in Attachment Download Gogs Missing Authorization in Attachment Download ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed that **an unauthenticated user can download attachments belonging to a private repository
ghsa
CVE-2022-1992P3CRITICAL≥ 0, < 0.12.92022-06-08
CVE-2022-1992 [CRITICAL] CWE-22 Path Traversal in file editor on Windows in Gogs Path Traversal in file editor on Windows in Gogs ### Impact The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.
ghsaosv
CVE-2026-52808P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52808 [HIGH] CWE-269 Gogs's write-level collaborators can mutate admin-only repository settings via API Gogs's write-level collaborators can mutate admin-only repository settings via API ## Summary Three API endpoints — `PATCH /api/v1/repos/:owner/:repo/issue-tracker`, `PATCH /api/v1/repos/:owner/:repo/wiki`, and `POST /api/v1/repos/:owner/:repo/mirror-sync` — are gated by `reqRepoWriter()` rather than `reqRepoAdmin()`. The equivalent operations in the web UI sit behind `reqRepoAdmin`
ghsa
CVE-2026-52812P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52812 [HIGH] CWE-345 Gogs: LFS dedupe path leaks private repo content across tenants Gogs: LFS dedupe path leaks private repo content across tenants Summary Git LFS storage is content-addressed by OID alone (`///`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new `(repo_id, oid)` row pointing at it **without verifying the request body hashes to the OID being cl
ghsa
CVE-2026-23633P3MEDIUM≥ 0, < 0.13.42026-02-06
CVE-2026-23633 [MEDIUM] CWE-22 Gogs has arbitrary file read/write via Path Traversal in Git hook editing Gogs has arbitrary file read/write via Path Traversal in Git hook editing ## Vulnerability Description In the endpoint: ``` /username/reponame/settings/hooks/git/:name ``` the `:name` parameter: * Is URL-decoded by **macaron routing**, allowing decoded slashes (`/`) * Is then passed directly to: ```go git.Repository.Hook("custom_hooks", name) ``` which internally resolves the path as:
ghsaosv
CVE-2026-52810P3HIGH≥ 0, < 0.14.32026-06-23
CVE-2026-52810 [HIGH] CWE-284 Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be
ghsa
CVE-2026-25229P3MEDIUM≥ 0, < 0.14.02026-02-17
CVE-2026-25229 [MEDIUM] CWE-284 Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs ### **Summary** A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The `UpdateLabel` function in the Web UI (`internal/route/repo/issue.go`) fails to verify that the label being modified belo
ghsaosv
CVE-2026-26194P3HIGH≥ 0, < 0.14.22026-03-05
CVE-2026-26194 [HIGH] CWE-88 Gogs: Release tag option injection in release deletion Gogs: Release tag option injection in release deletion ### Summary There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process. ### Affected Component - internal/database/release.go `process.ExecDir(..., "git", "tag", "-d", rel.TagName)` ### Details `re
ghsaosv
CVE-2026-23632P3MEDIUM≥ 0, < 0.13.42026-02-06
CVE-2026-23632 [MEDIUM] CWE-862 Gogs user can update repository content with read-only permission Gogs user can update repository content with read-only permission ## Vulnerability Description The endpoint `PUT /repos/:owner/:repo/contents/*` does not require write permissions and allows access with **read permission only** via `repoAssignment()`. After passing the permission check, `PutContents()` invokes `UpdateRepoFile()`, which results in: * Commit creation * Execution of `git push` As
ghsaosv
CVE-2026-52814P3MEDIUM≥ 0, < 0.14.32026-06-23
CVE-2026-52814 [MEDIUM] CWE-400 Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion) Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion) The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine
ghsa
CVE-2026-52809P3MEDIUM≥ 0, < 0.14.32026-06-23
CVE-2026-52809 [MEDIUM] CWE-324 Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verific
ghsa
CVE-2025-47943P4HIGHCVSS 8.8≥ 0, < 0.13.3-0.20250608224432-110117b2e5e52025-06-26
CVE-2025-47943 [HIGH] CWE-79 Gogs XSS allowed by stored call in PDF renderer Gogs XSS allowed by stored call in PDF renderer ### Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. ### Details Gogs Version: ``` docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB ``` Application version: `0.14.0+dev` Local setup using: ```bash # Pull image from Docker Hub. docker pull gogs/gogs # Create local directory
ghsaosv
CVE-2026-52802P4MEDIUM≥ 0, < 0.14.32026-06-23
CVE-2026-52802 [MEDIUM] CWE-601 Gogs has an Open Redirect via redirect_to Gogs has an Open Redirect via redirect_to ### Summary An open redirect vulnerability exists in Gogs where attacker-controlled `redirect_to` parameters can bypass validation, allowing redirection to arbitrary external sites. ### Details All redirects in Gogs that are validated via the `IsSameSite` function are vulnerable: ```go func IsSameSite(url string) bool { return len(url) >= 2 && url[0] == '/' && url[1] != '/' && u
ghsa
CVE-2026-52816P4MEDIUM≥ 0, < 0.14.32026-06-23
CVE-2026-52816 [MEDIUM] CWE-79 Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS ## Summary The Jupyter Notebook (ipynb) sanitizer endpoint at `POST /-/api/sanitize_ipynb` allows arbitrary `data:` URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses `bluemonday.UGCPolicy()` with `p.AllowURLSchem
ghsa
CVE-2026-52804P4MEDIUM≥ 0, < 0.14.32026-06-23
CVE-2026-52804 [MEDIUM] CWE-193 Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation ## Summary A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the `ChangeCollaborationAccessMode` function. ## Vulnerable Code In `internal/database/repo_collaboration.go`, line 129: ```go func (r *Repository) ChangeCollaborationAc
ghsa
CVE-2026-22592P4MEDIUM≥ 0, < 0.13.42026-02-06
CVE-2026-22592 [MEDIUM] CWE-862 Gogs has a Denial of Service issue Gogs has a Denial of Service issue ### Summary An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. ### Details If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits. https://github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.go#L333-
ghsaosv
CVE-2022-1285P4HIGH≥ 0, < 0.12.82022-06-03
CVE-2022-1285 [HIGH] CWE-918 Server-Side Request Forgery in gogs webhook Server-Side Request Forgery in gogs webhook ### Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. ### Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Worka
ghsaosv
CVE-2020-14958P4MEDIUM≥ 0, < 0.12.02021-05-18
CVE-2020-14958 [MEDIUM] CWE-281 Insecure Permissions in Gogs Insecure Permissions in Gogs In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
ghsaosv
CVE-2025-54880P4MEDIUMCVSS 5.1≥ 0, < 0.13.42026-02-06
[MEDIUM] CWE-1395 Gogs vulnerable to Stored XSS via Mermaid diagrams Gogs vulnerable to Stored XSS via Mermaid diagrams ### Summary Stored XSS via mermaid diagrams due to usage of vulnerable renderer library ### Details Gogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0) Currently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least
ghsaosv
CVE-2026-26195P4MEDIUM≥ 0, ≤ 0.13.32026-03-05
CVE-2026-26195 [MEDIUM] CWE-79 Gogs: Stored XSS in branch and wiki views through author and committer names Gogs: Stored XSS in branch and wiki views through author and committer names ### Summary Stored XSS is still possible through unsafe template rendering that mixes user input with `safe()` plus permissive sanitizer handling of data URLs. ### Details `safe()` still turns off escaping: - internal/template/template.go - `func safe(raw string) template.HTML { return template.HTML(raw) }` B
ghsaosv
Gogs.Io Gogs vulnerabilities | cvebase