Filtered by vendor Gogs
Subscriptions
Filtered by product Gogs
Subscriptions
Total
74 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64111 | 1 Gogs | 1 Gogs | 2026-02-26 | 9.8 Critical |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||||
| CVE-2025-64175 | 1 Gogs | 1 Gogs | 2026-02-26 | 8.8 High |
| Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | ||||
| CVE-2024-56731 | 1 Gogs | 1 Gogs | 2025-08-21 | 10 Critical |
| Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3. | ||||
| CVE-2022-32174 | 1 Gogs | 1 Gogs | 2025-05-27 | 9 Critical |
| In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover. | ||||
| CVE-2022-31038 | 1 Gogs | 1 Gogs | 2025-04-23 | 5.4 Medium |
| Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9 `DisplayName` does not filter characters input from users, which leads to an XSS vulnerability when directly displayed in the issue list. This issue has been resolved in commit 155cae1d which sanitizes `DisplayName` prior to display to the user. All users of gogs are advised to upgrade. Users unable to upgrade should check their users' display names for malicious characters. | ||||
| CVE-2024-39930 | 1 Gogs | 1 Gogs | 2025-04-11 | 9.9 Critical |
| The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected. | ||||
| CVE-2024-54148 | 1 Gogs | 1 Gogs | 2025-04-10 | 9.8 Critical |
| Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||||
| CVE-2024-55947 | 1 Gogs | 1 Gogs | 2025-04-10 | 8.8 High |
| Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. | ||||
| CVE-2024-39933 | 1 Gogs | 1 Gogs | 2025-04-10 | 7.7 High |
| Gogs through 0.13.0 allows argument injection during the tagging of a new release. | ||||
| CVE-2024-39932 | 1 Gogs | 1 Gogs | 2025-04-10 | 9.9 Critical |
| Gogs through 0.13.0 allows argument injection during the previewing of changes. | ||||
| CVE-2024-39931 | 1 Gogs | 1 Gogs | 2025-04-10 | 9.9 Critical |
| Gogs through 0.13.0 allows deletion of internal files. | ||||
| CVE-2022-2024 | 1 Gogs | 1 Gogs | 2025-03-11 | 9.8 Critical |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. | ||||
| CVE-2024-44625 | 1 Gogs | 1 Gogs | 2024-11-21 | 8.8 High |
| Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. | ||||
| CVE-2022-1993 | 1 Gogs | 1 Gogs | 2024-11-21 | 8.1 High |
| Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. | ||||
| CVE-2022-1992 | 2 Gogs, Microsoft | 2 Gogs, Windows | 2024-11-21 | 9.1 Critical |
| Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. | ||||
| CVE-2022-1986 | 1 Gogs | 1 Gogs | 2024-11-21 | 9.8 Critical |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. | ||||
| CVE-2022-1464 | 1 Gogs | 1 Gogs | 2024-11-21 | 5.4 Medium |
| Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account . | ||||
| CVE-2022-1285 | 1 Gogs | 1 Gogs | 2024-11-21 | 6.5 Medium |
| Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8. | ||||
| CVE-2022-0871 | 1 Gogs | 1 Gogs | 2024-11-21 | 9.1 Critical |
| Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. | ||||
| CVE-2022-0870 | 1 Gogs | 1 Gogs | 2024-11-21 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. | ||||