Critical Zero-Day Vulnerability in Gogs Allows Remote Code Execution

Critical Zero-Day Vulnerability in Gogs Allows Remote Code Execution

First seen 28 May 2026, 15:18 UTC BleepingcomputerCybersecuritynewsCsoonlineGbhackersHeise.De+3 86% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical argument injection vulnerability (CWE-88) has been discovered in Gogs, a widely used self-hosted Git service, allowing authenticated users to execute arbitrary code on the server. The flaw, identified by Rapid7's Jonah Burgess, has a CVSSv4 score of 9.4 and affects Gogs versions 0.14.2 and 0.15.0+dev, with no patch available at the time of publication. Attackers can exploit this vulnerability by creating a pull request with a malicious branch name that injects the --exec flag during the rebase merge operation. The vulnerability is particularly dangerous as Gogs instances often have open registration enabled by default, allowing unauthenticated users to create accounts and repositories. Successful exploitation can lead to full server compromise, including access to private repositories and sensitive credentials. Despite being reported to Gogs maintainers on March 17, no patch has been released as of May 28, 2026. The vulnerability is similar to previous argument injection flaws but affects a different code path.

Key Points: • Critical argument injection vulnerability in Gogs allows RCE for authenticated users. • No patch available; the vulnerability affects Gogs versions 0.14.2 and 0.15.0+dev. • Open registration by default enables unauthenticated users to exploit the flaw easily.

ThreatCluster AI

Timeline

2024-07-04
CVE-2024-39930 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-07-04
CVE-2024-39932 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-07-04
CVE-2024-39933 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-12-10
CVE-2025-8110 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-03-05
CVE-2026-26194 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-03-17
Vulnerability reported to Gogs maintainers
Jonah Burgess reported the critical flaw to Gogs maintainers, who acknowledged it on March 28.
BleepingComputer
2026-05-28
Vulnerability disclosed publicly
Rapid7 disclosed the zero-day vulnerability in Gogs, highlighting its critical nature and lack of a patch.
Rapid7

Community

Browse all →