Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Gogs self-hosted Git service argument injection zero-day remote code execution flaw

Vulnerability
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

An unpatched zero-day in Gogs exposes Internet-facing instances to remote code execution and possible credential theft. The flaw is an argument injection bug in the Rebase before merging path, and it affects Gogs 0.14.2 and 0.15.0+dev. Because default configurations allow open registration and unlimited repository creation, a non-admin attacker can reach the exploit chain with basic account access.

Cases

Unpatched Gogs Rebase Injection Remote Code Execution Risk (1)

Related Happenings

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Gogs path traversal in the PutContents API (CVE-2025-8110)

Vulnerability
First: 13.01.2026 09:15 Last: 13.01.2026 09:15 Sources 1

About this happening: **CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...

Open Happening

Gogs Internet-facing exploitation wave (CVE-2025-8110)

Exploitation Wave
First: 11.12.2025 15:19 Last: 11.12.2025 15:19 Sources 1

About this happening: **Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...

Open Happening

Timeline

  1. 28.05.2026 17:25 1 articles · 1h ago

    Rapid7 reports unpatched Gogs remote code execution flaw

    Initial Disclosure

    Rapid7 researcher Jonah Burges reported an unpatched argument injection flaw in the Gogs self-hosted Git service to the maintainers on March 17, describing a critical issue that can let authenticated attackers without admin privileges gain remote code execution on Internet-facing instances.

    Show sources
    Open in new tab
  2. 28.05.2026 17:25 1 articles · 1h ago

    Gogs maintainers acknowledge the remote code execution report without a patch

    Untyped Phase

    The Gogs maintainers acknowledged the March 17 report on March 28, but they had not provided a patch or further status update after the acknowledgment.

    Show sources
    Open in new tab
  3. 28.05.2026 17:25 2 articles · 1h ago

    Rapid7 details an unpatched Gogs argument injection zero-day

    Technical Analysis Update

    Rapid7 publicly detailed an unpatched zero-day in the Gogs self-hosted Git service on May 28, 2026, explaining how a malicious branch name can inject the "—exe"c flag into git rebase during the "Rebase before merging" operation and allow remote code execution, server compromise, repository access, credential dumping, and code modification. The report says the flaw affects Gogs 0.14.2 and 0.15.0+dev, can be triggered by authenticated attackers without admin privileges, and is especially exposed on default-configured servers with open registration enabled; Shadowserver also tracks over 2,400 exposed Gogs servers, most in Asia and Europe.

    Show sources
    Open in new tab