What is the CVSS score of CVE-2026-25921?

CVE-2026-25921 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Gogs are affected by CVE-2026-25921?

Critical vulnerability in Gogs Git service allows attackers to overwrite shared Large File Storage (LFS) objects across repositories, enabling supply chain attacks that could compromise code…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25921?

Yes, a public proof-of-concept exploit is available for CVE-2026-25921. Prioritise patching immediately. EPSS: 0.0%.

Gogs CVE-2026-25921

CRITICAL

Insufficient Verification of Data Authenticity (CWE-345)

2026-03-05 security-advisories@github.com

GHSA-cj4v-437j-jq4c

Authentication Bypass Gogs Suse

9.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 06, 2026 - 14:02 vuln.today

Public exploit code

Patch released

Mar 06, 2026 - 14:02 nvd

Patch available

CVE Published

Mar 05, 2026 - 19:16 nvd

CRITICAL 9.3

DescriptionNVD

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

AnalysisAI

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

RemediationAI

Within 24 hours: Identify all Gogs instances running versions prior to 0.14.2 and assess exposure by reviewing LFS usage across repositories. Within 7 days: Apply vendor patch to upgrade all affected Gogs instances to version 0.14.2 or later, with validated testing in non-production environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-25921 vulnerability details – vuln.today

Back

Gogs CVE-2026-25921

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code