Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the updateWikiPage function that allows a user with write access to a given repository's wiki to delete files with the oldtitle parameter. Details A Directory Traversal attack also known as path traversal aims to...

CVE-2026-22592

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev...

GHSA-5QHX-GWFJ-6JQR Gogs user can update repository content with read-only permission

Vulnerability Description The endpoint PUT /repos/:owner/:repo/contents/ does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile, which results in: Commit creation Execution of git pu...

GHSA-CR88-6MQM-4G57 Gogs has a Denial of Service issue

Summary An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. Details If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits...

CVE-2026-23632 Gogs user can update repository content with read-only permission

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/" does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile,...

CVE-2026-23632

CVE-2026-23632 (Gogs) : A bug in Gogs prior to 0.13.4 allows a token with read permission to modify repository contents via the PUT /repos/:owner/:repo/contents/* endpoint. After repoAssignment() passes, PutContents() calls UpdateRepoFile(), leading to commit creation and git push, enabling unaut...

EUVD-2026-5625

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev...

CVE-2026-22592 Gogs is Vulnerable to Denial of Service

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev...

CVE-2026-22592 Gogs is Vulnerable to Denial of Service

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev...

CVE-2024-12724

creationtimestamp| type| source ---|---|--- 2026-02-06 16:21:41+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2024/CVE-2024-12724.yaml...

PT-2026-6852

Vulnerability Description The endpoint PUT /repos/:owner/:repo/contents/ does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile, which results in: Commit creation Execution of git pu...

osbuild-composer security update

101.4-3.0.1 - Support using repository definitons with OCI variables JIRA: OLDIS-38657 - Update repositories to contain OCI variables - Remove image types Minimal-raw and wsl JIRA: OLDIS-38123 - Increase default /boot size to 1GB Orabug: 36827079 - support for building OL8/9 images on Oracle Linu...

PT-2026-6755

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions prior to 0.14.0+dev Description Gogs is a self-hosted Git service susceptible to a denial-of-service DOS attack. An authenticated user can trigger a crash by initiating a mirror synchronization on a...

OpenProject 操作系统命令注入漏洞

OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 16.6.7 and 17.0.3 had a vulnerability related to operating system command injection. This vulnerability stemmed from an arbitrary file writing vulnerability present in the repository modification...

PT-2026-6805

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the repository changes endpoint '/projects/:project id/repository/changes' when...

PT-2026-6856

Summary An authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. Details If GetMirrorByRepoID fails, the error log dereferencing null pointer. This happens if the repository no longer exits...

PT-2026-6863

Vulnerability Description In the endpoint: /username/reponame/settings/hooks/git/:name the :name parameter: Is URL-decoded by macaron routing, allowing decoded slashes / Is then passed directly to: go git.Repository.Hook"custom hooks", name which internally resolves the path as: go...