CVE-2026-52797 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 8.5 HIGH

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.

Metadata

CVE ID: CVE-2026-52797
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:02 UTC
Published: 2026-06-24 20:35 UTC
Last updated: 2026-06-24 20:35 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

8.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.0

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

References (1)

https://github.com/gogs/gogs/security/advisories/GHSA-pm6v-2h4w-4rp2 https://github.com/gogs/gogs/security/advisories/GHSA-pm6v-2h4w-4rp2