Gogs Vulnerability Allows Remote Code Execution via Path Traversal

Gogs, a self-hosted Git service, has a vulnerability allowing path traversal in organization names. This flaw permits attackers to create nested Git repositories, leading to the potential for Remote Code Execution (RCE) by overwriting hooks configurations. The issue arises from unsanitized organization names during repository creation, allowing paths like ../../../../tmp/test to be used. This vulnerability affects all versions of Gogs prior to 0.14.3. The CVE-2026-52813 has been assigned to this vulnerability, highlighting its severity. Security advisories have been issued, and users are urged to update their installations. The flaw emphasizes the need for proper input sanitization in web applications.

Key Points: • Gogs allows path traversal in organization names, leading to RCE. • Unsanitized input during repository creation enables arbitrary filesystem access. • Users are advised to upgrade to Gogs version 0.14.3 or later to mitigate risks.