9.3

CVE-2026-25921

Medienbericht
Exploit

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GogsGogs Version < 0.14.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.242
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 9.3 3.9 4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:19
https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c
Vendor Advisory
Exploit
Mitigation
https://github.com/gogs/gogs/pull/8166
Issue Tracking
https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
Patch
https://github.com/gogs/gogs/releases/tag/v0.14.2
Release Notes