CVE-2026-52813 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 10.0 CRITICAL

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.

Metadata

CVE ID: CVE-2026-52813
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:11 UTC
Published: 2026-06-24 20:33 UTC
Last updated: 2026-06-24 20:33 UTC
Primary CWE: CWE-23
CWE-23: Relative Path Traversal
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-23	cna	CWE-23: Relative Path Traversal

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (4)

https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5 https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5
https://github.com/gogs/gogs/pull/8334 https://github.com/gogs/gogs/pull/8334
https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7 https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7
https://github.com/gogs/gogs/releases/tag/v0.14.3 https://github.com/gogs/gogs/releases/tag/v0.14.3