Arbitrary File Deletion Flaw in Gogs Wiki Update Enables Path Traversal
Gogs disclosed a security advisory for an arbitrary file deletion vulnerability in its wiki page update functionality, tracked as GHSA-jp7c-wj6q-3qf2. The flaw stems from a path traversal issue that can let an attacker manipulate file paths during wiki updates and delete files outside the intended directory, creating a risk to repository integrity and server-side data stored by the self-hosted Git service.
A public repository referencing CVE-2026-24135 later documented the same issue as an arbitrary file deletion bug in Gogs caused by wiki path traversal, indicating that technical details are now publicly accessible. Organizations running Gogs should review exposed wiki features, assess whether untrusted users can modify wiki content, and prioritize vendor guidance and patching to prevent unauthorized deletion of application or system files.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public CVE repository publishes material for CVE-2026-24135
A public GitHub repository for CVE-2026-24135 was published, documenting the arbitrary file deletion issue in Gogs via wiki path traversal. This made technical information about the vulnerability publicly accessible.
Gogs discloses arbitrary file deletion flaw in wiki page update
A GitHub security advisory for Gogs disclosed an arbitrary file deletion vulnerability caused by path traversal in the wiki page update functionality. The issue was tracked as GHSA-jp7c-wj6q-3qf2.
Sources
2 references tracked. Mallory keeps watching after this page renders.
GitHub - reschjonas/CVE-2026-24135: Arbitrary File Deletion in Gogs via Wiki Path Traversal · GitHub
github.com
Open sourceArbitrary file deletion via path traversal in wiki page update · Advisory · gogs/gogs · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gogs Pathspec Flaw Lets Malicious Filenames Break Repository and Wiki Pages
Gogs disclosed a denial-of-service vulnerability, **CVE-2025-64719**, affecting `gogs.io/gogs` versions **0.14.2 and earlier**. A malicious user with permission to create a new repository file or wiki entry can use a specially crafted filename containing Git pathspec-related characters to trigger persistent **HTTP 500** errors on repository index and wiki listing pages. Public details in GitHub advisory `GHSA-3qq3-668m-v9mj` show a proof of concept using the filename: ```text [] ``` The flaw stems from commit information recovery logic in `internal/route/repo/view.go` and `internal/route/repo/wiki.go`, including a case where `commits[0]` may be dereferenced without confirming a valid value exists. The impact is limited to availability of the affected repository or wiki pages in the **web interface**; command-line Git operations are not affected, and the issue does not enable code execution or data theft. Gogs reported the bug was fixed in a release published on **2026-06-07**, with public disclosure following on **2026-06-19**.
Jun 22, 2026
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Mar 21, 2026
Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched **zero-day** in the self-hosted Git service **Gogs** that allows **authenticated remote code execution** through argument injection in the pull request rebase workflow. The flaw affects current releases including `0.14.2` and `0.15.0+dev`, and likely earlier versions that support rebase merging. An attacker can abuse the **"Rebase before merging"** feature by supplying a malicious branch name that is passed into a `git rebase` command without a proper option separator, enabling use of Git's `--exec` flag to run attacker-controlled shell commands as the Gogs server process user. The issue is rated **CVSSv4 9.4** and is considered especially dangerous on default-configured instances because **open registration** and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed **Gitea** flaw, `CVE-2026-27771`, that can expose private container images without authentication on versions prior to `1.26.2`.
Jun 8, 2026