threat
engine
.sh
Back
·
··:··
Home
/
Product
/
gogs
Product
gogs
56 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-26276
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a rep
7.3
HIGH
CVE-2026-26196
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token an
5.3
MEDIUM
CVE-2026-26195
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rend
6.1
MEDIUM
CVE-2026-26194
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release
7.3
HIGH
CVE-2026-26022
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists
8.7
HIGH
CVE-2026-25921
< 0.14.2
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to s
9.3
CRITICAL
CVE-2026-25242
< 0.14.1
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default.
9.8
CRITICAL
CVE-2026-25232
< 0.14.1
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows
8.8
HIGH
CVE-2026-25229
< 0.14.1
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows
6.5
MEDIUM
CVE-2026-25120
< 0.14.0
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comme
2.7
LOW
CVE-2026-24135
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWi
8.1
HIGH
CVE-2026-23633
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traver
6.5
MEDIUM
CVE-2026-23632
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" doe
6.5
MEDIUM
CVE-2026-22592
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one
6.5
MEDIUM
CVE-2025-64175
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope c
8.8
HIGH
CVE-2025-64111
< 0.13.4
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it'
9.8
CRITICAL
CVE-2025-8110
<= 0.13.3
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
8.8
HIGH
CVE-2024-56731
< 0.13.3
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git direct
10.0
CRITICAL
CVE-2024-55947
< 0.13.1
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gai
8.8
HIGH
CVE-2024-54148
< 0.13.1
Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to a repository
9.8
CRITICAL
CVE-2024-44625
<= 0.13.0
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.
8.8
HIGH
CVE-2022-1884
<= 0.12.7
A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerabilit
9.8
CRITICAL
CVE-2024-39933
<= 0.13.0
Gogs through 0.13.0 allows argument injection during the tagging of a new release.
7.7
HIGH
CVE-2024-39932
<= 0.13.0
Gogs through 0.13.0 allows argument injection during the previewing of changes.
9.9
CRITICAL
CVE-2024-39931
<= 0.13.0
Gogs through 0.13.0 allows deletion of internal files.
9.9
CRITICAL
CVE-2024-39930
<= 0.13.0
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution.
9.9
CRITICAL
CVE-2023-46657
<= 1.0.15
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expecte
5.3
MEDIUM
CVE-2023-40349
<= 1.0.15
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated a
5.3
MEDIUM
CVE-2023-40348
<= 1.0.15
The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence
5.3
MEDIUM
CVE-2022-2024
< 0.12.11
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
9.8
CRITICAL
CVE-2022-32174
>= 0.6.5 and <= 0.12.10
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.
9.0
CRITICAL
CVE-2022-31038
< 0.12.9
Gogs is an open source self-hosted Git service. In versions of gogs prior to 0.12.9
DisplayName
does not filter characters input
5.4
MEDIUM
CVE-2022-1993
< 0.12.9
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
8.1
HIGH
CVE-2022-1992
< 0.12.9
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
9.1
CRITICAL
CVE-2022-1986
< 0.12.9
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
9.8
CRITICAL
CVE-2021-32546
< 0.12.8
Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unpri
8.8
HIGH
CVE-2022-1285
< 0.12.8
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
6.5
MEDIUM
CVE-2022-1464
< 0.12.7
Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the repo is public , any user can view the report and when open
5.4
MEDIUM
CVE-2022-0415
< 0.12.6
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6.
8.8
HIGH
CVE-2022-0871
< 0.12.5
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.
9.1
CRITICAL
CVE-2022-0870
< 0.12.5
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.
5.3
MEDIUM
CVE-2020-15867
>= 0.5.5 and <= 0.12.2
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalat
7.2
HIGH
CVE-2020-14958
all versions
In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
6.5
MEDIUM
CVE-2020-9329
<= 0.11.91
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condi
5.9
MEDIUM
CVE-2019-14544
all versions
routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks.
9.8
CRITICAL
CVE-2019-10348
<= 1.0.14
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users
8.8
HIGH
CVE-2018-20303
< 0.11.82.1218
In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to c
7.5
HIGH
CVE-2018-18925
<= 0.11.66
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-fil
9.8
CRITICAL
CVE-2018-17031
all versions
In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MIME type sniffing, which leads to XSS, as demonstrated by Int
6.1
MEDIUM
CVE-2018-16409
all versions
In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GET requests, leading to SSRF.
8.6
HIGH
CVE-2018-15193
all versions
A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows remote attackers to execute admin operations via a crafted
8.8
HIGH
CVE-2018-15192
<= 0.11.53
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet s
8.6
HIGH
CVE-2018-15178
< 0.12
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishi
6.1
MEDIUM
CVE-2014-8683
<= 0.5.5
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows
CVE-2014-8682
<= 0.5.5
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote atta
CVE-2014-8681
<= 0.5.5
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x befo
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin