Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

gogs — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting gogs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Gogs is a lightweight, self-hosted Git service written in Go, primarily used by organizations requiring private repository management without the complexity of larger alternatives. Despite its simplicity, the platform has accumulated thirty-three recorded Common Vulnerabilities and Exposures, reflecting persistent security challenges in its codebase. Historically, these flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or authentication bypasses. While Gogs emphasizes ease of deployment and low resource consumption, its smaller development team compared to enterprise competitors has occasionally delayed critical patches. Recent incidents highlight risks associated with exposed administrative interfaces and insecure default configurations. Users must prioritize regular updates and strict access controls to mitigate these known weaknesses, ensuring that the convenience of self-hosting does not compromise infrastructure integrity against increasingly sophisticated threat actors targeting version control systems.

Found 47 results / 57Clear Filters
Top products by gogs: gogs gogs/gogs
CVE IDTitleCVSSSeverityPublished
CVE-2026-52797 Gogs: Overwriting critical files results in a denial of service — gogsCWE-22 8.5 High2026-06-24
CVE-2026-52813 Gogs: Path Traversal in organization name results in RCE through Git hooks — gogsCWE-23 10.0 Critical2026-06-24
CVE-2026-52812 Gogs: LFS dedupe path leaks private repo content across tenants — gogsCWE-345--2026-06-24
CVE-2026-52811 Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym — gogsCWE-22--2026-06-24
CVE-2026-52810 Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion — gogsCWE-284--2026-06-24
CVE-2026-52809 Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES — gogsCWE-324 6.8 Medium2026-06-24
CVE-2026-52808 Gogs: Write-level collaborators can mutate admin-only repository settings via API — gogsCWE-863 7.1 High2026-06-24
CVE-2026-52816 Gogs: Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS — gogsCWE-80--2026-06-24
CVE-2026-52807 Gogs: DOM-based XSS via Milestone Name on New Issue Page — gogsCWE-79--2026-06-24
CVE-2026-52805 Gogs: Migration Redirect Bypass Leads to Internal Repository Theft — gogsCWE-918 8.7 High2026-06-24
CVE-2026-52806 Gogs: RCE via git rebase --exec argument injection in pull request merge — gogsCWE-77 9.9 Critical2026-06-24
CVE-2026-52804 Gogs: Privilege Escalation via Collaboration Access Mode Validation — gogsCWE-193--2026-06-24
CVE-2026-52799 Gogs: Missing Authorization in Attachment Download — gogsCWE-639 7.5 High2026-06-24
CVE-2026-52801 Gogs: Ability to import local repositories via Mirror Settings — gogsCWE-20 8.1 High2026-06-24
CVE-2026-52800 Gogs: CSRF Leading to Organization Owner Takeover — gogsCWE-352 8.8 High2026-06-24
CVE-2026-52802 Gogs: Open Redirect via redirect_to in Gogs — gogsCWE-601 5.4 Medium2026-06-24
CVE-2026-52814 Gogs: Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion) — gogsCWE-400--2026-06-24
CVE-2026-52798 Gogs: Stored XSS in `.ipynb` Preview — gogsCWE-79 8.9 High2026-06-24
CVE-2026-52796 Gogs: DoS in rendering issue index pattern — gogsCWE-1336 3.5 Low2026-06-24
CVE-2026-47267 Gogs: SSRF in webhook deliveries — gogsCWE-918 8.3 High2026-06-24
CVE-2026-25119 Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers — gogsCWE-290--2026-06-24
CVE-2026-52795 Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity — gogsCWE-863 4.3 Medium2026-06-24
CVE-2025-64719 Gogs: Denial of Service in repository/wiki file listing web pages — gogsCWE-20 4.9 Medium2026-06-24
CVE-2026-52815 Gogs: Unauthenticated Organization Teams Information Disclosure via API — gogsCWE-200--2026-06-24
CVE-2026-26276 Gogs: DOM-based XSS via milestone selection — gogsCWE-79 7.3 High2026-03-05
CVE-2026-26196 Gogs: Access tokens get exposed through URL params in API requests — gogsCWE-598 5.3 -2026-03-05
CVE-2026-26195 Gogs: Stored XSS in branch and wiki views through author and committer names — gogsCWE-79 5.4 -2026-03-05
CVE-2026-26194 Gogs: Release tag option injection in release deletion — gogsCWE-88 7.1 -2026-03-05
CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification — gogsCWE-345 9.3 Critical2026-03-05
CVE-2026-26022 Gogs: Stored XSS via data URI in issue comments — gogsCWE-79 8.7 High2026-03-05

This page lists every published CVE security advisory associated with gogs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.