No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out
A critical remote code execution (RCE) vulnerability in the open-source Git service Gogs remains unpatched despite being reported in March. The flaw allows any authenticated user to exploit it, potentially compromising servers and stealing sensitive information. Researchers have created a public exploit module, raising concerns about imminent exploitation in the wild.
- ▪The vulnerability affects all supported platforms, including Windows, Linux, and macOS.
- ▪The issue stems from an argument injection flaw in Gogs' pull request merge flow.
- ▪Users are advised to restrict user registration and repository creation to mitigate the risk.
Opening excerpt (first ~120 words) tap to expand
(function() { let windowUrl = window.location.href; windowUrl = windowUrl.substring(windowUrl.indexOf('?') + 1); let messageElement = document.querySelector('.shareableMessage'); if (windowUrl && windowUrl.includes('code') && windowUrl.includes('expires')) { messageElement.style.display = 'block'; } })(); Security No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out Researcher reported the vuln in March. Maintainers haven't responded to his messages since Jessica Lyons Jessica Lyons Published fri 29 May 2026 // 19:26 UTC There's a huge hole and no one is patching it thus far.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
