Unpatched Gogs Rebase Injection Remote Code Execution Risk

Attackers can gain remote code execution on **Gogs** servers through an unpatched argument injection flaw in the **Rebase before merging** path. The issue affects **Gogs 0.14.2** and **0.15.0+dev**, and a malicious branch name can inject the `--exec` flag into `git rebase` during merge processing. The flaw requires an authenticated account but not admin rights, and default deployments with open registration and unlimited repository creation reduce that barrier because a user can create an account and repository before triggering the vulnerable flow. Successful exploitation can run code as the Gogs server process user and expose private repositories, password hashes, API tokens, SSH keys, and 2FA secrets while also enabling code tampering and movement to other reachable systems. The weakness was reported to the maintainers on March 17, acknowledged on March 28, and remained unpatched when public technical details were released on May 28. Available material also notes more than **2,400** Internet-facing Gogs servers, with concentrations in **Asia** and **Europe**, which increases the number of systems administrators need to review for exposure. Available evidence does not confirm in-the-wild exploitation of this specific zero-day, and no vendor patch or final remediation timeline was available at disclosure time.