CVE-2026-24135
HIGH
GHSA-jp7c-wj6q-3qf2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Analysis
Arbitrary file deletion in Gogs 0.13.3 and earlier allows authenticated repository contributors to exploit a path traversal flaw in the wiki page update function, enabling deletion of arbitrary files on the affected server. An attacker with wiki write access can manipulate the old_title parameter to traverse the filesystem and remove critical files. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit Gogs deployment inventory and identify all instances running version 0.13.3 or earlier; disable wiki functionality if not business-critical and implement network access restrictions to Gogs servers. Within 7 days: Implement WAF rules to block path traversal patterns in wiki page update requests; deploy file integrity monitoring on Gogs server directories; review access logs for exploitation attempts. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today