A newly disclosed flaw in Gogs can let attackers take over internet-exposed code servers if they can register a normal user account. The unpatched argument-injection vulnerability, not yet assigned a CVE, affects Gogs 0.14.2 and 0.15.0+dev and is triggered during the "Rebase before merging" pull-request flow; because open registration is enabled by default, many default-configured servers may be reachable by unauthenticated attackers who simply sign up first. Rapid7 says successful exploitation can lead to remote code execution as the server process user, access to private repositories, and theft of password hashes, API tokens, SSH keys, and 2FA secrets.
Why it matters: Organizations running self-hosted Gogs should treat this as urgent because exposed servers may be compromiseable even without an existing attacker account. Until a fix is available, admins should disable open registration, restrict internet exposure, and review whether rebase-merging can be turned off or tightly limited.
Sergiu Gatlan
2026.06.08
98% relevant
This article is a direct update to the same Gogs argument-injection zero-day: it adds that Gogs released version 0.14.3 on June 7 to fix the flaw, requested a CVE, and published concrete mitigations for users who cannot patch immediately.
2026.05.29
98% relevant
This article is the same underlying Gogs zero-day event and adds that there is still no official fix, Rapid7 has now published a Metasploit exploit module, the researcher says maintainers stopped responding after March 28, and a proposed patch has been submitted while users are urged to disable registration and rebase merging.
Ionut Arghire
2026.05.29
98% relevant
This article is a direct report on the same Gogs zero-day event, adding technical detail from Rapid7 on the argument-injection root cause, the 'Rebase before merging' attack path via malicious branch names, default open registration risk, cross-platform impact, lack of a patch, and the release of a Metasploit module and indicators of compromise.
info@thehackernews.com (The Hacker News)
2026.05.28
97% relevant
This article appears to cover the same underlying Gogs authenticated remote code execution issue, adding another report that characterizes it as critical and exploitable by any authenticated user on affected self-hosted servers.
Sergiu Gatlan
2026.05.28
100% relevant
This article establishes a distinct new Gogs zero-day event: a newly disclosed, unpatched remote-code-execution flaw in current Gogs releases, separate from the earlier CVE-2025-8110 zero-day mentioned only as background.
← Back to all stories