Unauthenticated File Upload Vulnerabilities in Gogs Git Service
CVE-2026-25242

6.9MEDIUM

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
19 February 2026

What is CVE-2026-25242?

Gogs, an open-source self-hosted Git service, has a significant security vulnerability that allows unauthenticated file uploads on versions 0.13.4 and earlier. By default, when the 'RequireSigninView' setting is disabled, any user can upload arbitrary files via the endpoints /releases/attachments and /issues/attachments. This improper validation exposes the system to potential misuse, enabling it to function as a public file host, which may lead to issues such as disk exhaustion, content hosting risks, or even the delivery of malicious files. The vulnerability is addressed in Gogs version 0.14.1.

Affected Version(s)

gogs < 0.14.1

References

https://github.com/gogs/gogs/security/advisories/GHSA-fc3...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8128
x_refsource_MISC
https://github.com/gogs/gogs/commit/628216d5889fcb838c471...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.