Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gogs self-hosted Git service argument injection zero-day remote code execution flaw

Vulnerability
First reported
Last updated
Happening score
H score 62
1 unique sources, 2 articles

Summary

Hide ▲

An unpatched zero-day in Gogs exposes Internet-facing instances to remote code execution and possible credential theft. The flaw is an argument injection bug in the Rebase before merging path, and it affects Gogs 0.14.2 and 0.15.0+dev. Because default configurations allow open registration and unlimited repository creation, a non-admin attacker can reach the exploit chain with basic account access.

Cases

Related Happenings

Gogs rebase-before-merging RCE flaw

Vulnerability
H score41 First: 28.05.2026 20:24 Last: 28.05.2026 20:24 Sources 1

About this happening: **Gogs** has an **unpatched authenticated-user RCE flaw** in **Rebase before merging**, where a malicious branch name can inject `--exec` into `git rebase` and trigger **server co...

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
H score45 First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Gogs path traversal in the PutContents API (CVE-2025-8110)

Vulnerability
H score54 First: 13.01.2026 09:15 Last: 13.01.2026 09:15 Sources 1

About this happening: **CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...

Gogs Internet-facing exploitation wave (CVE-2025-8110)

Exploitation Wave
H score54 First: 11.12.2025 15:19 Last: 11.12.2025 15:19 Sources 1

About this happening: **Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...

Timeline

  1. 08.06.2026 19:18 1 articles · 1mo ago

    Gogs maintainers release 0.14.3 to patch critical argument injection zero-day

    Mitigation Patch Update

    Gogs maintainers released version 0.14.3 on June 7 to patch the critical argument injection zero-day affecting Internet-facing Gogs instances and requested a CVE ID. Rapid7 recommended that all Gogs users upgrade immediately and, until patching is possible, restrict registration with DISABLE_REGISTRATION = true, limit repository creation with MAX_CREATION_LIMIT = 0, and audit Rebase before merging settings.

    Show sources
  2. 28.05.2026 17:25 1 articles · 1mo ago

    Rapid7 reports unpatched Gogs remote code execution flaw

    Initial Disclosure

    Rapid7 researcher Jonah Burges reported an unpatched argument injection flaw in the Gogs self-hosted Git service to the maintainers on March 17, describing a critical issue that can let authenticated attackers without admin privileges gain remote code execution on Internet-facing instances.

    Show sources
  3. 28.05.2026 17:25 1 articles · 1mo ago

    Gogs maintainers acknowledge the remote code execution report without a patch

    Untyped Phase

    The Gogs maintainers acknowledged the March 17 report on March 28, but they had not provided a patch or further status update after the acknowledgment.

    Show sources
  4. 28.05.2026 17:25 2 articles · 1mo ago

    Rapid7 details an unpatched Gogs argument injection zero-day

    Technical Analysis Update

    Rapid7 publicly detailed an unpatched zero-day in the Gogs self-hosted Git service on May 28, 2026, explaining how a malicious branch name can inject the "—exe"c flag into git rebase during the "Rebase before merging" operation and allow remote code execution, server compromise, repository access, credential dumping, and code modification. The report says the flaw affects Gogs 0.14.2 and 0.15.0+dev, can be triggered by authenticated attackers without admin privileges, and is especially exposed on default-configured servers with open registration enabled; Shadowserver also tracks over 2,400 exposed Gogs servers, most in Asia and Europe.

    Show sources