10
CVE-2026-52813
- EPSS 1.11%
- Veröffentlicht 24.06.2026 21:16:57
- Zuletzt bearbeitet 26.06.2026 05:16:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Gogs: Path Traversal in organization name results in RCE through Git hooks
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellergogs
≫
Produkt
gogs
Version
< 0.14.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.11% | 0.617 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-23 Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
https://github.com/gogs/gogs/releases/tag/v0.14.3
https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7
https://github.com/gogs/gogs/pull/8334
https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5