Unpatched Gogs Argument Injection Flaw Enables Authenticated RCE
Rapid7 and BleepingComputer reported an unpatched zero-day in the self-hosted Git service Gogs that allows authenticated remote code execution through argument injection in the pull request rebase workflow. The flaw affects current releases including 0.14.2 and 0.15.0+dev, and likely earlier versions that support rebase merging. An attacker can abuse the "Rebase before merging" feature by supplying a malicious branch name that is passed into a git rebase command without a proper option separator, enabling use of Git's --exec flag to run attacker-controlled shell commands as the Gogs server process user.
The issue is rated CVSSv4 9.4 and is considered especially dangerous on default-configured instances because open registration and unrestricted repository creation are enabled by default, lowering the barrier to exploitation. Successful attacks could expose private repositories, stored credentials, and secrets, enable code tampering and supply-chain compromise, and support lateral movement deeper into victim networks. Rapid7 said no vendor patch was available at publication time and released a Metasploit module for Linux and Windows, while separate reporting noted Gogs maintainers had only acknowledged the report. The disclosures follow broader scrutiny of Git hosting platforms, including a recently disclosed Gitea flaw, CVE-2026-27771, that can expose private container images without authentication on versions prior to 1.26.2.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Gogs patched critical authenticated RCE in version 0.14.3
Gogs released version 0.14.3 on June 7, 2026 to patch the critical argument injection remote code execution flaw previously disclosed by Rapid7. The patch addressed the vulnerability affecting releases up to and including 0.14.2 and 0.15.0+dev.
Rapid7 submitted proposed fix for unpatched Gogs RCE
With no official vendor patch available, Rapid7 submitted a pull request containing a proposed fix for the authenticated Gogs RCE vulnerability. The company also recommended mitigations including disabling registration, restricting repository creation, and turning off 'Rebase before merging.'
Rapid7 disclosed unpatched Gogs RCE and released Metasploit module
Rapid7 publicly disclosed a critical authenticated remote code execution vulnerability in Gogs caused by argument injection in the 'Rebase before merging' feature. The company said the flaw affects Gogs 0.14.2 and 0.15.0+dev, released a Metasploit module for Linux and Windows exploitation, and noted no vendor patch was available at publication time.
Rapid7 reported Gogs authenticated RCE flaw to maintainers
BleepingComputer reports that Rapid7 researcher Jonah Burges reported the Gogs argument injection vulnerability to the maintainers in March. The maintainers had only acknowledged the report and had not issued a patch or further response by the time of publication.
Gitea private image exposure flaw disclosed with patch guidance
Researchers disclosed CVE-2026-27771 in Gitea, an unauthenticated flaw that allows pulling private container images from affected deployments. The disclosure said all versions prior to 1.26.2 are affected and advised upgrading to 1.26.2 or enabling REQUIRE_SIGNIN_VIEW as a workaround.
Rapid7 reported Gogs RCE flaw to maintainer
Rapid7 reported the authenticated Gogs remote code execution vulnerability to the maintainer on March 17, 2026. The flaw involved argument injection via the 'Rebase before merging' feature and remained unpatched at the time of later public disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Gogs Zero-Day Vulnerability Raises Alarm Over Server Security - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceGogs patches critical zero-day enabling remote code execution
bleepingcomputer.com
Open sourceSecurity Researchers Are Threat Actors - PSW #929 | SC Media
scworld.com
Open sourceCritical Gogs RCE Vulnerability: Unpatched 0-Day (CVSS 9.4) | The CyberSec Guru
thecybersecguru.com
Open sourceNew Gogs 0-Day Vulnerability Lets Attackers Execute Malicious Code Remotely on the Server
cybersecuritynews.com
Open sourceAuthenticated RCE via Argument Injection in Gogs (NOT FIXED)
rapid7.com
Open sourceNew Gogs zero-day flaw lets hackers get remote code execution
bleepingcomputer.com
Open sourceGitea Vulnerability Exposes Private Container Images without Authentication
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Remote Code Execution via File Overwrite in Gogs PutContents API
A critical vulnerability, tracked as CVE-2025-8110, has been identified in the PutContents API of the *Gogs* self-hosted Git service. The flaw arises from improper handling of symbolic links, allowing remote, authenticated attackers to overwrite arbitrary files on the server. Successful exploitation enables attackers to execute arbitrary code with the privileges of the Gogs server process, potentially leading to full system compromise. Security researchers have reported that this vulnerability is being actively exploited in the wild, and it affects Gogs versions 0.13.3 and prior. Currently, there is no patched version available to address CVE-2025-8110. Administrators are advised to disable auto-registration of users and avoid exposing Gogs instances to the internet as temporary mitigations. Detection of vulnerable systems can be performed using specific queries to identify Gogs installations, such as searching for HTTP services with a known favicon hash. Organizations running Gogs should prioritize mitigation steps to reduce the risk of exploitation until an official fix is released.
Mar 21, 2026
CISA Flags Actively Exploited Gogs Path Traversal Leading to RCE (CVE-2025-8110)
CISA added **CVE-2025-8110** affecting the *Gogs* self-hosted Git service to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch (FCEB) agencies under **BOD 22-01**. The issue is described as a **path traversal** weakness that can be leveraged for **remote code execution (RCE)** in real-world attacks, increasing risk for organizations running Internet-exposed Gogs instances. Technical reporting indicates the flaw resides in the `PutContents` API and can be abused by authenticated attackers using **symbolic links** to write outside a repository and overwrite sensitive files; one described route to code execution is overwriting Git configuration (e.g., `sshCommand`) to force arbitrary command execution. Wiz Research tied the vulnerability to observed malware activity on an Internet-facing Gogs server and reported large-scale exposure and compromise signals across the ecosystem (including thousands of exposed servers and hundreds showing signs of compromise), with exploitation observed as a zero-day prior to patch availability; CISA’s KEV action formalizes the exploitation status and elevates patching priority for both government and non-government operators.
Mar 21, 2026
Gogs Pathspec Flaw Lets Malicious Filenames Break Repository and Wiki Pages
Gogs disclosed a denial-of-service vulnerability, **CVE-2025-64719**, affecting `gogs.io/gogs` versions **0.14.2 and earlier**. A malicious user with permission to create a new repository file or wiki entry can use a specially crafted filename containing Git pathspec-related characters to trigger persistent **HTTP 500** errors on repository index and wiki listing pages. Public details in GitHub advisory `GHSA-3qq3-668m-v9mj` show a proof of concept using the filename: ```text [] ``` The flaw stems from commit information recovery logic in `internal/route/repo/view.go` and `internal/route/repo/wiki.go`, including a case where `commits[0]` may be dereferenced without confirming a valid value exists. The impact is limited to availability of the affected repository or wiki pages in the **web interface**; command-line Git operations are not affected, and the issue does not enable code execution or data theft. Gogs reported the bug was fixed in a release published on **2026-06-07**, with public disclosure following on **2026-06-19**.
Jun 22, 2026