CVE-2026-25921 – Gogs Remote Code Execution Vulnerability
CVSS 9.3
CRITICAL
“A lightweight Git server can become a heavyweight risk when execution paths are exposed.”
Gogs addressed CVE-2026-25921, a critical vulnerability that allows remote code execution within its Git service platform. The issue stems from improper handling of user input in server-side operations, enabling attackers to execute arbitrary commands and potentially take full control of the underlying system and hosted repositories.
CVE-2026-25921 has a CVSS score of 9.3, which is Critical severity. Verified proof-of-concept code exists, increasing the likelihood of exploitation. The patch fixes input validation and execution controls to prevent unauthorized command execution and protect hosted code environments.
Key Details
- Affected Product
- Gogs Gogs
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-345
Patch this CVE on all your endpoints in under 5 minutes.
First 200 endpoints are free forever, scale as needed.