Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gogs rebase-before-merging RCE flaw

Vulnerability
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

Gogs has an unpatched authenticated-user RCE flaw in Rebase before merging, where a malicious branch name can inject `--exec` into `git rebase` and trigger server code execution. The issue affects all supported platforms and can expose private repositories and credentials on shared instances. A public Metasploit module also automates the exploit chain, increasing abuse risk.

Related Happenings

Gogs self-hosted Git service argument injection zero-day remote code execution flaw

Vulnerability
H score62 First: 28.05.2026 17:25 Last: 28.05.2026 17:25 Sources 1

About this happening: An **unpatched zero-day** in **Gogs** exposes **Internet-facing instances** to **remote code execution** and possible credential theft. The flaw is an **argument injection** bug i...

Latest development: 08.06.2026 19:18

Gogs maintainers released version 0.14.3 on June 7 to patch the critical argument injection zero-day affecting Internet-facing Gogs instances and requested a CVE ID. Rapid7 recommended that all Gogs users upgrade immediately and, until patching is possible, restrict registration with DISABLE_REGISTRATION = true, limit repository creation with MAX_CREATION_LIMIT = 0, and audit Rebase before merging settings.

Gogs path traversal in the PutContents API (CVE-2025-8110)

Vulnerability
H score54 First: 13.01.2026 09:15 Last: 13.01.2026 09:15 Sources 1

About this happening: **CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...

Gogs Internet-facing exploitation wave (CVE-2025-8110)

Exploitation Wave
H score54 First: 11.12.2025 15:19 Last: 11.12.2025 15:19 Sources 1

About this happening: **Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...

Timeline

  1. 28.05.2026 03:00 2 articles · 1mo ago

    Rapid7 discloses critical Gogs RCE flaw

    Initial Disclosure

    Rapid7 discloses a critical 9.4 CVSS Gogs vulnerability that lets any authenticated user achieve remote code execution by creating a pull request with a malicious branch name that injects `--exec` into `git rebase` during Rebase before merging; the issue remains unpatched and affects supported Windows, Linux, and macOS deployments.

    Show sources
  2. 17.03.2026 02:00 1 articles · 3mo ago

    Gogs maintainer receives report of authenticated-user RCE flaw

    Untyped Phase

    The Gogs maintainer is reported a critical flaw in the Rebase before merging merge operation that can let an authenticated user achieve remote code execution by creating a pull request with a malicious branch name that injects `--exec` into `git rebase`.

    Show sources