Gogs path traversal in the PutContents API (CVE-2025-8110)
Vulnerability
Summary
Hide ▲
Show ▼
CISA added CVE-2025-8110 in Gogs to the KEV catalog, confirming active exploitation of a path traversal flaw that can lead to code execution. The weakness sits in the repository file editor and stems from improper symbolic link handling in the PutContents API. Attackers can abuse the flaw to overwrite files outside the repository and pivot into execution through Git configuration manipulation. Wiz said the bug was used in zero-day attacks, and there is no patch yet.
Related Happenings
Gogs rebase-before-merging RCE flaw
Vulnerability
H score41
First: 28.05.2026 20:24
Last: 28.05.2026 20:24
Sources 1
About this happening:
**Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...
Gogs rebase-before-merging RCE flaw
VulnerabilityAbout this happening: **Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Vulnerability
H score62
First: 28.05.2026 17:25
Last: 28.05.2026 17:25
Sources 1
About this happening:
An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
VulnerabilityAbout this happening: An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Latest development: 08.06.2026 19:18
Gogs maintainers released version 0.14.3 on June 7 to patch the critical argument injection zero-day affecting Internet-facing Gogs instances and requested a CVE ID. Rapid7 recommended that all Gogs users upgrade immediately and, until patching is possible, restrict registration with DISABLE_REGISTRATION = true, limit repository creation with MAX_CREATION_LIMIT = 0, and audit Rebase before merging settings.
Vim and GNU Emacs file-open RCE flaws remote code execution flaw
Vulnerability
H score28
First: 01.04.2026 00:45
Last: 01.04.2026 00:45
Sources 1
About this happening:
**Vim** and **GNU Emacs** have **file-open remote code execution** flaws that can run attacker code as soon as a crafted file is opened. The **Vim** issue affects **9.2.0271 and e...
Vim and GNU Emacs file-open RCE flaws remote code execution flaw
VulnerabilityAbout this happening: **Vim** and **GNU Emacs** have **file-open remote code execution** flaws that can run attacker code as soon as a crafted file is opened. The **Vim** issue affects **9.2.0271 and e...
CISA orders FCEB GitLab patching under BOD 22-01
Public Sector Action
H score29
First: 04.02.2026 17:42
Last: 04.02.2026 17:42
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to patch **GitLab CE/EE** against **CVE-2021-39935**, forcing remediation of an **actively exploited SSRF flaw** within **three weeks**. The dea...
CISA orders FCEB GitLab patching under BOD 22-01
Public Sector ActionAbout this happening: **CISA** ordered **FCEB agencies** to patch **GitLab CE/EE** against **CVE-2021-39935**, forcing remediation of an **actively exploited SSRF flaw** within **three weeks**. The dea...
GCVE launches as a decentralized vulnerability intelligence platform
Security Tool/Service
H score11
First: 21.01.2026 12:30
Last: 21.01.2026 12:30
Sources 1
About this happening:
**GCVE** launched as a **community-driven vulnerability intelligence platform**, giving defenders a **decentralized reference point** for tracking and correlating vulnerabilities...
GCVE launches as a decentralized vulnerability intelligence platform
Security Tool/ServiceAbout this happening: **GCVE** launched as a **community-driven vulnerability intelligence platform**, giving defenders a **decentralized reference point** for tracking and correlating vulnerabilities...
Timeline
-
13.01.2026 09:15 3 articles · 5mo ago
CISA adds CVE-2025-8110 in Gogs to the KEV catalog
Initial DisclosureCISA added CVE-2025-8110 in Gogs to the Known Exploited Vulnerabilities catalog after confirming active exploitation of a path traversal flaw in the PutContents API that can lead to code execution. Wiz said it observed zero-day abuse and identified 700 compromised Gogs instances, while CISA advised Gogs users to disable open registration and restrict access because no patch was available yet.
Show sources
- CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution — thehackernews.com — 13.01.2026 09:15
- CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution — thehackernews.com — 13.01.2026 09:15
- Hackers exploit unpatched Gogs zero-day to breach 700 servers — www.bleepingcomputer.com — 11.12.2025 15:19
-
13.01.2026 09:15 1 articles · 5mo ago
FCEB agencies face a February 2, 2026 mitigation deadline
Legal Policy Action UpdateFederal Civilian Executive Branch agencies are required to apply the necessary mitigations for Gogs CVE-2025-8110 by February 2, 2026, including disabling the default open-registration setting and limiting server access with a VPN or an allow-list. The deadline sits alongside the still-unpatched flaw and the active-exploitation warning for Gogs deployments.
Show sources
- CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution — thehackernews.com — 13.01.2026 09:15