Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gogs Internet-facing exploitation wave (CVE-2025-8110)

Exploitation Wave
First reported
Last updated
Happening score
H score 54
1 unique sources, 1 articles

Summary

Hide ▲

Gogs servers were caught in a broad active exploitation wave that left more than 700 compromised instances among 1,400+ exposed servers. The abuse centered on CVE-2025-8110, a path traversal flaw in the PutContents API that enabled remote code execution on internet-facing deployments. Researchers tracked the activity from July to November 2025, including a second wave on November 1, indicating sustained automated targeting. The scale and repeat activity meant publicly reachable Gogs instances remained at immediate risk until access was restricted and the flaw was patched.

Related Happenings

Gogs rebase-before-merging RCE flaw

Vulnerability
H score41 First: 28.05.2026 20:24 Last: 28.05.2026 20:24 Sources 1

About this happening: **Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...

Gogs self-hosted Git service argument injection zero-day remote code execution flaw

Vulnerability
H score62 First: 28.05.2026 17:25 Last: 28.05.2026 17:25 Sources 1

About this happening: An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...

Latest development: 08.06.2026 19:18

Gogs maintainers released version 0.14.3 on June 7 to patch the critical argument injection zero-day affecting Internet-facing Gogs instances and requested a CVE ID. Rapid7 recommended that all Gogs users upgrade immediately and, until patching is possible, restrict registration with DISABLE_REGISTRATION = true, limit repository creation with MAX_CREATION_LIMIT = 0, and audit Rebase before merging settings.

LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)

Vulnerability
H score46 First: 24.04.2026 10:24 Last: 24.04.2026 10:24 Sources 1

About this happening: **LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...

D-Link DIR-823X command-injection RCE (CVE-2025-29635)

Vulnerability
H score40 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...

TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities

Campaign
H score79 First: 02.04.2026 00:35 Last: 02.04.2026 00:35 Sources 1

About this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...

Timeline

  1. 01.11.2025 02:00 1 articles · 8mo ago

    Second wave of Gogs exploitation observed on November 1

    Exploitation Observed

    A second wave of attacks against Internet-facing Gogs instances was observed on November 1, 2025, showing that active exploitation continued after the initial disclosure. The campaign continued to abuse the CVE-2025-8110 path traversal weakness in the PutContents API to gain remote code execution on exposed servers.

    Show sources
  2. 30.10.2025 02:00 1 articles · 8mo ago

    Gogs maintainers acknowledge CVE-2025-8110 while developing a patch

    Mitigation Patch Update

    Gogs maintainers acknowledged the CVE-2025-8110 flaw on October 30, 2025 while still developing a patch. The weakness is a path traversal issue in the PutContents API that lets symbolic links be abused to overwrite files outside the repository and bypass the prior CVE-2024-55947 fix.

    Show sources
  3. 17.07.2025 03:00 2 articles · 11mo ago

    Wiz Research discloses Gogs zero-day exploitation

    Initial Disclosure

    Wiz Research discovered an unpatched Gogs zero-day while investigating a malware infection on a customer's Internet-facing Gogs server in July 2025 and reported the flaw to Gogs maintainers on July 17, 2025. The investigation also linked the activity to over 1,400 publicly exposed Gogs servers, more than 700 compromised instances, random eight-character repository names, Supershell malware, and command-and-control traffic to 119.45.176[.]196.

    Show sources