CVE-2026-52813
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Ver en NVDAnálisis
Gogs, el popular servicio de Git auto-hospedado, presenta una vulnerabilidad crítica de salto de directorio en el manejo de nombres de organizaciones. Un atacante puede explotar este fallo para sobrescribir ganchos de Git (hooks) y lograr la ejecución remota de código (RCE) en el servidor. Dada su calificación CVSS de 10.0, se recomienda actualizar inmediatamente a la versión 0.14.3.
Roles relevantes
Severidad
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-23EPSS
Sin puntaje EPSS aún (CVE muy reciente).
Descripción técnica
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.