ALSA-2026:4164 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted...

RHEL 10 : git-lfs (RHSA-2026:4166)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:4166 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

RHSA-2026:3985 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHSA-2026:3973 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHSA-2026:3972 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rated this update as...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...

Important: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerabili...

Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726...

RHEL 8 : git-lfs (RHSA-2026:3972)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:3972 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

ALSA-2026:3985 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726...

CVE-2026-30832

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

CVE-2026-30832 Soft Serve: SSRF via unvalidated LFS endpoint in repo import

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

GHSA-3FVX-XRXQ-8JVV soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import

While auditing the codebase in the wake of the webhook SSRF fix shipped in v0.11.1 GHSA-vwq2-jx9q-9h9f, it was identified that the LFS import path was never given the same treatment. The webhook fix introduced dual-layer SSRF protection — ValidateWebhookURL at creation time and secureHTTPClient...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the --lfs-endpoint parameter during repository import. An attacker can cause the server to send HTTP requests to internal or private IP addresses, potentially accessing sensitive internal services or...

CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

RLSA-2026:3928 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted...

git-lfs security update

An update is available for git-lfs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Git Large File Storage LFS replaces large files such as audio samples, videos...

RHSA-2026:3932 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...

RHSA-2026:3929 Red Hat Security Advisory: git-lfs security update

Bulletin has no description...