gogs.io/gogs (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package gogs.io/gogs, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (71)
CVE-2026-52813 — CVSS 10.0 (critical): Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted…
CVE-2024-56731 — CVSS 10.0 (critical): Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and…
CVE-2024-39930 — CVSS 9.9 (critical): The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution…
CVE-2026-52806 — CVSS 9.9 (critical): Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on…
CVE-2026-25242 — CVSS 9.8 (critical): Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the…
CVE-2025-64111 — CVSS 9.8 (critical): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still…
CVE-2019-14544 — CVSS 9.8 (critical): routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
CVE-2024-54148 — CVSS 9.8 (critical): Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain…
CVE-2022-1884 — CVSS 9.8 (critical): A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises…
CVE-2026-25921 — CVSS 9.3 (critical): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to…
CVE-2026-52811: Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the…
CVE-2022-32174 — CVSS 9.0 (critical): In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
CVE-2026-52798 — CVSS 8.9 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, although .ipynb previews are sanitized on the server side via…
CVE-2026-25232 — CVSS 8.8 (high): Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any…
CVE-2021-32546 — CVSS 8.8 (high): Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged…
CVE-2022-0415 — CVSS 8.8 (high): Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
CVE-2026-52800 — CVSS 8.8 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests…
CVE-2024-44625 — CVSS 8.8 (high): Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
CVE-2024-55947 — CVSS 8.8 (high): Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH…
CVE-2025-64175 — CVSS 8.8 (high): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by…
CVE-2026-26022 — CVSS 8.7 (high): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the…
CVE-2026-52805 — CVSS 8.7 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the…
CVE-2018-15192 — CVSS 8.6 (high): An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
CVE-2026-52797 — CVSS 8.5 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed…
CVE-2026-47267 — CVSS 8.3 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with…
CVE-2026-52801 — CVSS 8.1 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the…
CVE-2026-24135 — CVSS 8.1 (high): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage…
CVE-2026-25119: Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the…
CVE-2014-8681 — CVSS 7.5 (high): SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before…
CVE-2014-8682 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to…
CVE-2018-20303 — CVSS 7.5 (high): In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a…
CVE-2026-52799 — CVSS 7.5 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying…
CVE-2026-26194 — CVSS 7.3 (high): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail…
CVE-2026-26276 — CVSS 7.3 (high): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a…
CVE-2026-52810: Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the…
CVE-2026-52808 — CVSS 7.1 (high): Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker…
CVE-2026-52812: Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid…
CVE-2026-52809 — CVSS 6.8 (medium): Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the…
CVE-2026-25229 — CVSS 6.5 (medium): Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows…
CVE-2026-23633 — CVSS 6.5 (medium): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in…
CVE-2026-23632 — CVSS 6.5 (medium): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not…
CVE-2026-22592 — CVSS 6.5 (medium): Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the…
CVE-2020-14958 — CVSS 6.5 (medium): In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
CVE-2025-47943 — CVSS 6.3 (medium): Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS)…
CVE-2018-15178 — CVSS 6.1 (medium): Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing…
CVE-2018-17031 — CVSS 6.1 (medium): In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Internet…
CVE-2026-26195 — CVSS 6.1 (medium): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering…
CVE-2026-52815: Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET…
CVE-2026-52804: Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to…
CVE-2026-52814: Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated…
CVE-2026-52802 — CVSS 5.4 (medium): Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled…
CVE-2022-1464 — CVSS 5.4 (medium): Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the…
CVE-2026-52816: Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST…
CVE-2022-31038 — CVSS 5.4 (medium): Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from…
CVE-2026-26196 — CVSS 5.3 (medium): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and…
CVE-2025-64719 — CVSS 4.9 (medium): Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki…
CVE-2026-52807: Gogs is an open source self-hosted Git service. Prior to 0.14.3, in new_form.tmpl, milestone names are rendered with Go's default…
CVE-2014-8683 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote…
CVE-2026-52796 — CVSS 3.5 (low): Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering…
CVE-2026-25120 — CVSS 2.7 (low): Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment…