Skip to main content

Gogs EUVDEUVD-2026-39068

| CVE-2026-52802 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-23 https://github.com/gogs/gogs GHSA-xxhq-69mf-w8cr
5.4
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible login endpoint requires no attacker privileges; victim must actively click crafted link and authenticate; no availability impact and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:11 vuln.today
Analysis Generated
Jun 23, 2026 - 17:11 vuln.today

DescriptionCVE.org

Summary

An open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites.

Details

All redirects in Gogs that are validated via the IsSameSite function are vulnerable:

go
func IsSameSite(url string) bool {
    return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}

The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. For example:

/a/../\example.com

The IsSameSite function checks the input supplied to the redirect_to query parameter value /a/../\example.com and considers it valid.

Because web browsers normalize backslashes \ to forward slashes /, the normalized URL becomes //example.com.

The normalized URL becomes:

//example.com

Resulting in a cross-origin redirect.

This affects all endpoints using the redirect_to query parameter, including login and other post-action flows.

PoC

  1. An attacker can provide a user with a link to login to Gogs with a redirect_to query parameter that redirects a user to a site the attacker wants them to visit:
http://192.168.236.132:3000/user/login?redirect_to=/a/../\example.com

<img width="1339" height="536" alt="image" src="https://github.com/user-attachments/assets/3c2a13b8-f0b7-42c2-a223-6f0ebf083589" />

<br> <br>

  1. After the user successfully logs in, they would be redirected to the site an attacker wants them to visit:

<img width="1066" height="463" alt="image" src="https://github.com/user-attachments/assets/1726a3d9-6705-43cc-bdd2-90aad105d021" />

<img width="1097" height="396" alt="image" src="https://github.com/user-attachments/assets/376052f5-0e00-4d14-a548-fa75a6269530" />

Impact

  • Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
  • OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
  • Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
  • Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

AnalysisAI

Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the IsSameSite() function: the path /a/../\example.com passes server-side inspection but resolves to //example.com after browsers normalize backslashes to forward slashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft login URL with backslash bypass in redirect_to
Delivery
Deliver link to victim via phishing
Exploit
Victim authenticates on legitimate Gogs instance
Execution
Server-side IsSameSite() validation bypassed
Persist
Browser normalizes backslash to produce //attacker.com
Impact
Victim redirected to attacker-controlled site

Vulnerability AssessmentAI

Exploitation The attacker must deliver a crafted Gogs URL containing a `redirect_to` parameter with a backslash-based bypass path (e.g., `/a/../\attacker.com`) to a victim user who then clicks the link and completes authentication on the Gogs instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N yields a score of 5.4, reflecting that exploitation requires victim interaction (the user must click a crafted URL and complete login) but imposes no complexity or privilege requirements on the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker distributes a phishing message containing a legitimate-looking Gogs login URL with `redirect_to=/a/../\attacker.com` appended as a query parameter. The victim clicks the link, is presented with their real Gogs login page, and upon successful authentication is silently redirected to the attacker-controlled domain where a credential-harvesting page or token-capture endpoint is hosted. …
Remediation Upgrade Gogs to version 0.14.3 or later, which resolves the issue via PR #8322 (commit c5da9631dc75f692f313373ae229c4d47ba6517f). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-39068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy