top of page
perceptive_background_267k.jpg

New Gogs zero-day flaw lets hackers get remote code execution

Published:

28 mei 2026 om 14:25:43

Alert date:

28 mei 2026 om 15:02:45

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Zero-Day Vulnerabilities, Enterprise Applications

A new unpatched zero-day vulnerability has been discovered in Gogs, a self-hosted Git service. The flaw allows attackers to achieve remote code execution (RCE) on Internet-facing instances of the service. This represents a critical security risk for organizations using Gogs for version control, as attackers can potentially gain complete control over affected systems. The vulnerability affects self-hosted Git repositories and could lead to code theft, system compromise, and lateral movement within networks.

Technical details

Critical severity argument injection vulnerability in Gogs self-hosted Git service affecting versions 0.14.2 and 0.15.0+dev. Exploitable by authenticated attackers without admin privileges through pull requests using malicious branch names to inject the '--exec' flag into git rebase during 'Rebase before merging' operations. Default configuration allows open registration and unlimited repository creation, enabling unauthenticated attackers to create accounts and exploit the vulnerability. Similar to previously patched argument injection flaws but affects a different code path (Merge()) that was never patched.

Mitigation steps:

Monitor for over 2,400 Gogs servers exposed online according to Shadowserver tracking. Disable open registration (set DISABLE_REGISTRATION = true) and limit repository creation (adjust MAX_CREATION_LIMIT). Watch for malicious branch names in pull requests attempting to inject git rebase arguments. Apply patches when available. Federal agencies must secure servers by February 2 as ordered by CISA.

Affected products:

Gogs 0.14.2
Gogs 0.15.0+dev

Related links:

https://cwe.mitre.org/data/definitions/88.html
https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
https://nvd.nist.gov/vuln/detail/CVE-2024-39933
https://nvd.nist.gov/vuln/detail/CVE-2024-39932
https://nvd.nist.gov/vuln/detail/CVE-2026-26194
https://nvd.nist.gov/vuln/detail/CVE-2024-39930
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=365&vendor=gogs&dataset=count&limit=100&group_by=geo&stacking=stacked
https://www.shodan.io/search?query=http.title%3A%22Sign+In+-+Gogs%22
https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-flaw-actively-exploited-in-attacks/
https://github.com/gogs/gogs/pull/8078
https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=+CVE-2025-8110

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page