Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation Wave
Summary
Hide ▲
Show ▼
Gogs servers were caught in a broad active exploitation wave that left more than 700 compromised instances among 1,400+ exposed servers. The abuse centered on CVE-2025-8110, a path traversal flaw in the PutContents API that enabled remote code execution on internet-facing deployments. Researchers tracked the activity from July to November 2025, including a second wave on November 1, indicating sustained automated targeting. The scale and repeat activity meant publicly reachable Gogs instances remained at immediate risk until access was restricted and the flaw was patched.
Related Happenings
Gogs rebase-before-merging RCE flaw
Vulnerability
H score41
First: 28.05.2026 20:24
Last: 28.05.2026 20:24
Sources 1
About this happening:
**Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...
Gogs rebase-before-merging RCE flaw
VulnerabilityAbout this happening: **Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Vulnerability
H score62
First: 28.05.2026 17:25
Last: 28.05.2026 17:25
Sources 1
About this happening:
An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
VulnerabilityAbout this happening: An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Latest development: 08.06.2026 19:18
Gogs maintainers released version 0.14.3 on June 7 to patch the critical argument injection zero-day affecting Internet-facing Gogs instances and requested a CVE ID. Rapid7 recommended that all Gogs users upgrade immediately and, until patching is possible, restrict registration with DISABLE_REGISTRATION = true, limit repository creation with MAX_CREATION_LIMIT = 0, and audit Rebase before merging settings.
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
Vulnerability
H score46
First: 24.04.2026 10:24
Last: 24.04.2026 10:24
Sources 1
About this happening:
**LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
VulnerabilityAbout this happening: **LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
H score40
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
H score79
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
Timeline
-
01.11.2025 02:00 1 articles · 8mo ago
Second wave of Gogs exploitation observed on November 1
Exploitation ObservedA second wave of attacks against Internet-facing Gogs instances was observed on November 1, 2025, showing that active exploitation continued after the initial disclosure. The campaign continued to abuse the CVE-2025-8110 path traversal weakness in the PutContents API to gain remote code execution on exposed servers.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
-
30.10.2025 02:00 1 articles · 8mo ago
Gogs maintainers acknowledge CVE-2025-8110 while developing a patch
Mitigation Patch UpdateGogs maintainers acknowledged the CVE-2025-8110 flaw on October 30, 2025 while still developing a patch. The weakness is a path traversal issue in the PutContents API that lets symbolic links be abused to overwrite files outside the repository and bypass the prior CVE-2024-55947 fix.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
-
17.07.2025 03:00 2 articles · 11mo ago
Wiz Research discloses Gogs zero-day exploitation
Initial DisclosureWiz Research discovered an unpatched Gogs zero-day while investigating a malware infection on a customer's Internet-facing Gogs server in July 2025 and reported the flaw to Gogs maintainers on July 17, 2025. The investigation also linked the activity to over 1,400 publicly exposed Gogs servers, more than 700 compromised instances, random eight-character repository names, Supershell malware, and command-and-control traffic to 119.45.176[.]196.
Show sources
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19