Lucene search
K

6 matches found

NVD
NVD
added 2026/06/24 9:16 p.m.8 views

CVE-2026-52809

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...

6.8CVSS0.00202EPSS
Exploits0References2
OSV
OSV
added 2026/06/24 8:29 p.m.3 views

CVE-2026-52809 Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...

6.8CVSS5.9AI score0.00202EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 8:29 p.m.28 views

CVE-2026-52809 Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...

6.8CVSS0.00202EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 8:29 p.m.19 views

CVE-2026-52809

Gogs (CVE-2026-52809) generates password-reset tokens using the ActivateCodeLives lifetime, not the configured ResetPasswordCodeLives. As a result, even if an admin sets a short RESET_PASSWORD_CODE_LIVES (e.g., 10 minutes), reset tokens remain valid for the full activation lifetime (e.g., 180 min...

6.8CVSS5.9AI score0.00202EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 5:3 p.m.6 views

GHSA-5C3F-6486-3G7G Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Summary Password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making...

6.8CVSS6.1AI score0.00202EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.20 views

PT-2026-51627

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Password-reset tokens are generated using the account-activation lifetime conf.Auth.ActivateCodeLives instead of the intended password-reset lifetime conf.Auth.ResetPasswordCodeLives. Because the token...

6.8CVSS5.9AI score0.00202EPSS
Exploits0References10
Rows per page
Query Builder