Path Traversal Vulnerability in Gogs Git Service
CVE-2026-52813

10CRITICAL

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52813?

The Gogs Git service, an open-source platform for self-hosted Git management, is susceptible to a path traversal vulnerability that permits the acceptance of organization names containing traversal sequences (../). This flaw allows for the writing and storing of repositories at arbitrary locations within the filesystem, potentially leading to the compromise and manipulation of repository configurations. By exploiting this vulnerability, an attacker can craft nested structures of Git repositories that overwrite one another's hooks, resulting in Remote Code Execution (RCE). This vulnerability has been resolved in version 0.14.3.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-c39...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8334
x_refsource_MISC
https://github.com/gogs/gogs/commit/f6acd467305943aae8403...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.