gogs.io/gogs
Go60 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting gogs.io/gogspage 1 of 2
- CVE-2014-8681NONECVSS 0.0EG 0.0✓ Fixed in 0.5.82014-11-21
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/…
- CVE-2014-8682NONECVSS 0.0EG 0.0✓ Fixed in 0.5.82014-11-21
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly…
- CVE-2014-8683NONECVSS 0.0EG 0.0✓ Fixed in 0.5.82014-11-21
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.
- CVE-2018-15178MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.12.02018-08-08
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isVal…
- CVE-2018-15192HIGHCVSS 8.6EG 8.6✓ Fixed in 0.12.02018-08-08
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
- CVE-2018-17031MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.12.02018-09-14
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet Explorer, because an "X-Content-Type-Options: nosniff" header is not sent.
- CVE-2018-20303HIGHCVSS 7.5EG 7.5✓ Fixed in 0.11.80-0.20181218063808-ff93d9dbda5c2018-12-20
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.
- CVE-2019-14544CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.11.912019-08-02
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
- CVE-2020-14958MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.12.02020-06-21
In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
- CVE-2021-32546HIGHCVSS 8.8EG 8.8✓ Fixed in 0.12.82022-06-02
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remot…
- CVE-2022-0415HIGHCVSS 8.8EG 9.0✓ Fixed in 0.12.62022-03-21
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
- CVE-2022-0870MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.12.52022-03-11
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
- CVE-2022-0871CRITICALCVSS 9.1EG 9.1✓ Fixed in 0.12.52022-03-11
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.
- CVE-2022-1285MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.12.82022-06-01
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
- CVE-2022-1464MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.12.72022-05-05
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
- CVE-2022-1884CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.12.82024-11-15
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tr…
- CVE-2022-1986CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.12.92022-06-09
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-1992CRITICALCVSS 9.1EG 9.1✓ Fixed in 0.12.92022-06-09
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-1993HIGHCVSS 8.1EG 8.1✓ Fixed in 0.12.92022-06-09
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
- CVE-2022-2024CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.12.112023-02-25
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
- CVE-2022-31038MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.12.92022-06-09
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has be…
- CVE-2022-32174CRITICALCVSS 9.0EG 9.02022-10-11
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
- CVE-2024-39930CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.13.12024-07-04
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string…
- CVE-2024-39931CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.13.12024-07-04
Gogs through 0.13.0 allows deletion of internal files.
- CVE-2024-39932CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.13.12024-07-04
Gogs through 0.13.0 allows argument injection during the previewing of changes.
- CVE-2024-39933HIGHCVSS 7.7EG 7.7✓ Fixed in 0.13.12024-07-04
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
- CVE-2024-44625HIGHCVSS 8.8EG 8.82024-11-15
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
- CVE-2024-54148CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.13.12024-12-23
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-55947HIGHCVSS 8.8EG 8.8✓ Fixed in 0.13.12024-12-23
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
- CVE-2024-56731CRITICALCVSS 10.0EG 10.0✓ Fixed in 0.13.32025-06-24
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user a…
- CVE-2025-47943MEDIUMCVSS 6.3EG 6.3✓ Fixed in 0.13.3-0.20250608224432-110117b2e5e52025-06-24
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability …
- CVE-2025-64111CRITICALCVSS 9.8EG 9.82026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has b…
- CVE-2025-64175HIGHCVSS 8.8EG 8.82026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they ca…
- CVE-2025-64719MEDIUMCVSS 4.9EG 4.9✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files wi…
- CVE-2025-8110HIGHCVSS 8.8EG 9.0⚠ KEV2025-12-10
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
- CVE-2026-22592MEDIUMCVSS 6.5EG 6.52026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has b…
- CVE-2026-23632MEDIUMCVSS 6.5EG 6.52026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passi…
- CVE-2026-23633MEDIUMCVSS 6.5EG 6.52026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
- CVE-2026-24135HIGHCVSS 8.1EG 8.12026-02-06
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's w…
- CVE-2026-25119HIGHCVSS 7.7EG 7.7✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validat…
- CVE-2026-47267HIGHCVSS 8.3EG 8.3✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing…
- CVE-2026-52796LOWCVSS 3.5EG 3.5✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issu…
- CVE-2026-52797HIGHCVSS 8.5EG 8.5✓ Fixed in 0.14.02026-06-16
Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the …
- CVE-2026-52798HIGHCVSS 8.9EG 8.9✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via /-/api/sanitize_ipynb, the inserted content is re-rendered on the client side without sanitization using marked(…
- CVE-2026-52799HIGHCVSS 7.5EG 7.5✓ Fixed in 0.14.32026-06-22
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.…
- CVE-2026-52800HIGHCVSS 8.8EG 8.8✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visit…
- CVE-2026-52801HIGHCVSS 8.1EG 8.1✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories…
- CVE-2026-52802MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All re…
- CVE-2026-52804MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vuln…
- CVE-2026-52805HIGHCVSS 8.7EG 8.7✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but …
Check whether gogs.io/gogs is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for gogs.io/gogs CVEs against the assets you own.
Start Free Scan →