Is Gogs affected by CVE-2026-25242?

Gogs instances running version 0.13.4 or below are vulnerable to unauthenticated file uploads, allowing attackers to execute arbitrary code without credentials.

CVE-2026-25242

CRITICAL

2026-02-19 [email protected]

GHSA-fc3h-92p8-h36f

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 19, 2026 - 19:46 vuln.today

Public exploit code

Patch Released

Feb 19, 2026 - 19:46 nvd

Patch available

CVE Published

Feb 19, 2026 - 07:17 nvd

CRITICAL 9.8

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

Analysis

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload endpoints. …

Remediation

Within 24 hours: Identify all Gogs instances in your environment and their current versions; take affected systems offline or restrict network access if immediate patching is not possible. Within 7 days: Apply available vendor patches to all Gogs deployments and verify patch installation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: +20

Vendor Status

CVE-2026-25242 vulnerability details – vuln.today

Back

CVE-2026-25242

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-25242

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code