github.com/gogs/gogs is vulnerable to OS command injection. The vulnerability exists only in windows when the repository upload is enabled, allowing an attacker to upload maliciously crafted config file to the UpdateRepoFile
function of repo_editor.go
and gain SSH access to the server.