Gogs rebase-before-merging RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
Gogs has an unpatched authenticated-user RCE flaw in Rebase before merging, where a malicious branch name can inject `--exec` into `git rebase` and trigger server code execution. The issue affects all supported platforms and can expose private repositories and credentials on shared instances. A public Metasploit module also automates the exploit chain, increasing abuse risk.
Related Happenings
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Vulnerability
First: 28.05.2026 17:25
Last: 28.05.2026 17:25
Sources 1
About this happening:
An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
VulnerabilityAbout this happening: An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...
Gogs path traversal in the PutContents API (CVE-2025-8110)
Vulnerability
First: 13.01.2026 09:15
Last: 13.01.2026 09:15
Sources 1
About this happening:
**CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...
Gogs path traversal in the PutContents API (CVE-2025-8110)
VulnerabilityAbout this happening: **CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...
Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation Wave
First: 11.12.2025 15:19
Last: 11.12.2025 15:19
Sources 1
About this happening:
**Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...
Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation WaveAbout this happening: **Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...
Timeline
-
28.05.2026 03:00 2 articles · 19h ago
Rapid7 discloses critical Gogs RCE flaw
Initial DisclosureRapid7 discloses a critical 9.4 CVSS Gogs vulnerability that lets any authenticated user achieve remote code execution by creating a pull request with a malicious branch name that injects `--exec` into `git rebase` during Rebase before merging; the issue remains unpatched and affects supported Windows, Linux, and macOS deployments.
Show sources
- Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code — thehackernews.com — 28.05.2026 20:24
- Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code — thehackernews.com — 28.05.2026 20:24
-
17.03.2026 02:00 1 articles · 2mo ago
Gogs maintainer receives report of authenticated-user RCE flaw
Untyped PhaseThe Gogs maintainer is reported a critical flaw in the Rebase before merging merge operation that can let an authenticated user achieve remote code execution by creating a pull request with a malicious branch name that injects `--exec` into `git rebase`.
Show sources
- Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code — thehackernews.com — 28.05.2026 20:24