2 matches found
PT-2026-51624
Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Authenticated users can achieve Remote Code Execution RCE on the server during the "Rebase before merging" operation in pull requests. The issue stems from improper argument handling where the base...
Gogs: Access tokens get exposed through URL params in API requests
Summary The Gogs API still accepts tokens in URL parameters such as token and accesstoken, which can leak through logs, browser history, and referrers. Details A static review shows that the API still checks tokens in the URL query before looking at headers: - internal/context/auth.go reads...