Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Security Patch Release

Gogs Rebase Injection Remote Code Execution and 0.14.3 Patch Response

Updated 08.06.2026 19:18
Case score 59
Case score 59 Members 2 Latest activity 08.06.2026 19:18
Patch available
Members 2 First seen 28.05.2026 17:25 Last seen 08.06.2026 19:18 Updated 08.06.2026 19:18

Overview

A critical **Gogs** argument injection flaw in the **Rebase before merging** workflow exposed Internet-facing servers to authenticated remote code execution until **version 0.14.3** shipped on June 7, 2026. The flaw affects releases up to **0.14.2** and **0.15.0+dev**, and default open registration plus unrestricted repository creation can lower the barrier to reach the vulnerable path on exposed deployments. Successful abuse could expose private repositories and sensitive secrets while enabling unauthorized code changes or further movement from the server. Available evidence still does not confirm in-the-wild exploitation of this specific flaw, but operators now have a vendor fix and interim hardening steps if patching must wait.

Signals

2 derived
Impact signals
Remediation
Urgency Immediate Remediation Patch available

Member happenings

2 related
Vulnerability Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Updated 28.05.2026 17:25 Lead Contribution 59
Data Type Passwords Patch No Patch

An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug in the **Rebase before merging** path, and it affects **Gogs 0.14.2** and **0.15.0+dev**. Because default configurations allow **open registration** and unlimited repository creation, a non-admin attacker can reach the exploit chain with basic account access.

Security Patch Release Gogs 0.14.3 security update for argument injection flaw
Updated 08.06.2026 19:18 Context
Urgency Immediate Patch Patch Available

The **Gogs maintainers** shipped **version 0.14.3** to fix a critical **argument injection** zero-day that could let attackers compromise **Internet-facing instances** and reach **private repositories**. The issue affected **all releases up to 0.14.2** and **0.15.0+dev**, and exploitation required only **authenticated non-admin access**. Successful abuse could expose repositories, steal credentials, move laterally, and alter hosted source code. Rapid7 urged operators to **upgrade immediately** and use temporary hardening if patching must wait.