CVE-2026-52801 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 8.1 HIGH

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.

Metadata

CVE ID: CVE-2026-52801
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:02 UTC
Published: 2026-06-24 20:18 UTC
Last updated: 2026-06-24 20:18 UTC
Primary CWE: CWE-20
CWE-20: Improper Input Validation
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20: Improper Input Validation

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References (4)

https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5 https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5
https://github.com/gogs/gogs/pull/8225 https://github.com/gogs/gogs/pull/8225
https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c
https://github.com/gogs/gogs/releases/tag/v0.14.3 https://github.com/gogs/gogs/releases/tag/v0.14.3