gogs.io/gogs
Go60 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting gogs.io/gogspage 2 of 2
- CVE-2026-52806CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec f…
- CVE-2026-52808HIGHCVSS 7.1EG 7.1✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated b…
- CVE-2026-52809MEDIUMCVSS 6.8EG 6.8✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked int…
- CVE-2026-52810HIGHCVSS 7.1EG 7.1✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing sti…
- CVE-2026-52811CRITICALCVSS 9.0EG 9.0✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffP…
- CVE-2026-52812HIGHCVSS 7.1EG 7.1✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpl…
- CVE-2026-52813CRITICALCVSS 10.0EG 10.0✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allo…
- CVE-2026-52814MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes the…
- CVE-2026-52815MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for an…
- CVE-2026-52816MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.14.32026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scrip…
Check whether gogs.io/gogs is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for gogs.io/gogs CVEs against the assets you own.
Start Free Scan →