Gogs
CVE-2026-25921
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
AnalysisAI
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Technical ContextAI
CWE-345 overwritable LFS objects.
RemediationAI
Update to 0.14.2.
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow r
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. Rated high severity (C
Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code
Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafte
Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.8), this vulnerabil
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.1), this vulnerability is
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. Rated critical severity (CVSS 9.1), this vulnerabi
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account t
Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cj4v-437j-jq4c