Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several high-severity vulnerability disclosures were published across widely used developer and infrastructure components, with impacts ranging from remote code execution (RCE) to account takeover and arbitrary host file writes. In Gogs (self-hosted Git service), three CVEs were reported: CVE-2025-64111 (CVSS 9.3) enables RCE by bypassing checks in UpdateRepoFile to modify .git/config via the API (described as an insufficient fix for an earlier issue); CVE-2025-64175 (CVSS 7.7) allows a cross-account 2FA recovery-code bypass in versions 0.13.3 and earlier if an attacker already has a victim’s username/password; and CVE-2026-24135 (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating old_title. Separately, Jinjava (HubSpot CMS template engine) disclosed CVE-2026-25526 (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing ForTag iteration behavior (Bean ELResolver restriction bypass) and ObjectMapper-based JSON deserialization to instantiate disallowed classes.
A critical Kubernetes storage issue was also disclosed in Kubernetes Local Path Provisioner: CVE-2025-62878 (CVSS 10.0) allows directory traversal via the parameters.pathPattern setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., /etc) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread exposure of Git metadata on the public internet—approximately 4.96 million IPs with accessible .git directories and 250,000+ exposing .git/config files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for Ivanti Endpoint Manager Mobile (EPMM) involving CVE-2026-1281 and CVE-2026-1340, where attackers were observed dropping /mifs/403.jsp and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Gogs fixes released for RCE, 2FA bypass, and file deletion flaws
Maintainers released patched versions of Gogs to fix the three disclosed vulnerabilities. Administrators were advised to upgrade promptly to mitigate the risk of exploitation.
Three Gogs vulnerabilities disclosed, including RCE and 2FA bypass
Three Gogs vulnerabilities were disclosed: CVE-2025-64111 enabling remote command execution, CVE-2025-64175 enabling cross-account 2FA recovery-code bypass, and CVE-2026-24135 enabling path traversal that can delete arbitrary .md files. The issues affect self-hosted Gogs deployments and can lead to account takeover, file deletion, and server compromise.
Jinjava maintainers release fixes for sandbox bypass chain
Maintainers released patches for CVE-2026-25526 that add security checks to ForTag rendering and tighten ObjectMapper behavior. Users were urged to upgrade to patched versions to prevent remote code execution.
Jinjava RCE flaw CVE-2026-25526 disclosed
A critical Jinjava vulnerability was disclosed as CVE-2026-25526 with a CVSS score of 9.8. The flaw chains sandbox bypasses in ForTag handling and ObjectMapper deserialization to enable arbitrary Java code execution in environments where users can edit or customize templates.
Local Path Provisioner v0.0.34 released to fix traversal issue
Maintainers released Local Path Provisioner v0.0.34 to address CVE-2025-62878 by adding stricter validation that rejects directory traversal attempts. The advisory said there are no workarounds and that upgrading is required.
Kubernetes Local Path Provisioner flaw CVE-2025-62878 disclosed
A critical directory traversal vulnerability in Kubernetes Local Path Provisioner was disclosed as CVE-2025-62878 with a CVSS score of 10.0. The issue allows attackers who can create storage resources to write files outside the intended storage directory on the host via a crafted pathPattern value.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Triple Threat: Critical Gogs Flaws (CVSS 9.3) Allow RCE & 2FA Bypass
securityonline.info
Open sourceCVE-2026-25526: Critical Jinjava Flaw (CVSS 9.8) Permits Remote Code Execution
securityonline.info
Open sourceCVE-2025-62878: Critical 10.0 Vulnerability Found in Kubernetes Local Path Provisioner
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026
CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added **CVE-2025-8110** affecting the *Gogs* self-hosted Git service to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under **BOD 22-01**. The issue is described as a **path traversal** weakness that can be leveraged for **remote code execution (RCE)** in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances. Technical reporting indicates the flaw resides in the `PutContents` API and can be abused by authenticated attackers using **symbolic links** to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., `sshCommand`) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
Mar 21, 2026
Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched **zero-day** in the self-hosted Git service **Gogs** that allows **authenticated remote code execution** through argument injection in the pull request rebase workflow. The flaw affects current releases including `0.14.2` and `0.15.0+dev`, and likely earlier versions that support rebase merging. An attacker can abuse the **"Rebase before merging"** feature by supplying a malicious branch name that is passed into a `git rebase` command without a proper option separator, enabling use of Git's `--exec` flag to run attacker-controlled shell commands as the Gogs server process user. The issue is rated **CVSSv4 9.4** and is considered especially dangerous on default-configured instances because **open registration** and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed **Gitea** flaw, `CVE-2026-27771`, that can expose private container images without authentication on versions prior to `1.26.2`.
Jun 8, 2026