CVE-2026-52809
Gogs (CVE-2026-52809) generates password-reset tokens using the ActivateCodeLives lifetime, not the configured ResetPasswordCodeLives. As a result, even if an admin sets a short RESET_PASSWORD_CODE_LIVES (e.g., 10 minutes), reset tokens remain valid for the full activation lifetime (e.g., 180 min...