CVE-2026-52813
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
View on NVDAnalysis
Gogs, el popular servicio de Git auto-hospedado, presenta una vulnerabilidad crítica de salto de directorio en el manejo de nombres de organizaciones. Un atacante puede explotar este fallo para sobrescribir ganchos de Git (hooks) y lograr la ejecución remota de código (RCE) en el servidor. Dada su calificación CVSS de 10.0, se recomienda actualizar inmediatamente a la versión 0.14.3.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-23EPSS
No EPSS score yet (CVE may be too fresh).
Technical description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.