PT-2026-51624

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description Remote code execution is possible in the server-side Rebase before merging workflow. The issue occurs because the software invokes git rebase using a pull request base branch name without a "--"...

Gogs: Access tokens get exposed through URL params in API requests

Summary The Gogs API still accepts tokens in URL parameters such as token and accesstoken, which can leak through logs, browser history, and referrers. Details A static review shows that the API still checks tokens in the URL query before looking at headers: - internal/context/auth.go reads...