Gogs Git Rebase Argument Injection RCE

This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the --exec flag rather than a positional argument, causing sh -c to run after each replayed commit during the rebase. Two exploitation methods are supported: - ownrepo: The attacker...

PT-2026-45143

Уязвимость функции Merge программного средства создания самоуправляемых Git-репозиториев Gogs связана с внедрением или модификацией аргументов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путем отправки специально сформированного запроса...

LFS Object Overwrite

Gogs is vulnerable to LFS object overwrite. The vulnerability is due to overwritable LFS objects across different repositories, where attackers can manipulate the uploaded file like injecting backdoor, and Gogs does not verify uploaded LFS file content against its claimed SHA-256...

Exploit for Path Traversal in Gogs

CVE-2025-8110 — Gogs Symlink Traversal → RCE Overview C...

Exploit for Path Traversal in Gogs

RCE - CVE-2025-59528 Gogs = 0.13.3 Exploit shellsession $...

Exploit for CVE-2025-81110

CVE-2025-81110-PoC Improper Symbolic link handling in the PutC...

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via the tag deletion. An attacker can execute arbitrary git options by supplying a crafted tag name when triggering the deletion, potentially causing unintended behavior or disruption of the underlying...

EUVD-2026-9852

Gogs: Release tag option injection in release deletion...

GHSA-XRCR-GMF5-2R8J Gogs: Stored XSS via data URI in issue comments

Summary A Stored Cross-site Scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. Details The...

Gogs: Stored XSS via data URI in issue comments

Summary A Stored Cross-site Scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. Details The...

CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

CVE-2026-25229

CVE-2026-25229 affects Gogs (self-hosted Git service). In versions 0.13.4 and earlier, the Web UI endpoint POST /:username/:reponame/labels/edit allows cross-repository label tampering: UpdateLabel uses an incorrect database query that bypasses repository ownership validation, letting authenticat...

CVE-2026-25242

CVE-2026-25242 (Gogs) affects Gogs, an open source self-hosted Git service. Versions 0.13.4 and earlier expose unauthenticated file upload endpoints by default. When the global RequireSigninView is disabled (default), remote users can upload arbitrary files to /releases/attachments and /issues/at...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteComment function, accessible via the /:owner/:repo/issues/comments/:id/delete endpoint. A user can delete comments from other users' repositories by sending POST requests for known comment IDs...

GO-2026-4454 Gogs vulnerable to Stored XSS via Mermaid diagrams in gogs.io/gogs

Gogs vulnerable to Stored XSS via Mermaid diagrams in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest a...

PT-2026-23485

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2 Description Gogs, a self-hosted Git service, has an issue where deleting a release can fail due to improper handling of user-controlled tag names passed to Git. Specifically, if a tag name begins with a dash, it c...

CVE-2025-64111

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev...

GHSA-GG64-XXR9-QHJP Gogs's update .git/config file allows remote command execution

Summary Due to the insufficient patch for the https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7, it's still possible to update files in the .git directory and achieve remote command execution. Details Function UpdateRepoFile security check under some if conditions. While...

CVE-2026-24135

CVE-2026-24135 affects Gogs self-hosted Git service. In versions up to 0.13.3, a path traversal in the updateWikiPage function allows an authenticated user with wiki write access to delete arbitrary server files by manipulating the old_title parameter. Impact: potential file deletion in the serve...