{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gogs-0.15.0+dev/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-8110"},{"cvss":7.7,"id":"CVE-2024-39933"},{"cvss":9.9,"id":"CVE-2024-39932"},{"cvss":7.3,"id":"CVE-2026-26194"},{"cvss":9.9,"id":"CVE-2024-39930"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gogs 0.14.2","Gogs 0.15.0+dev"],"_cs_severities":["critical"],"_cs_tags":["rce","zero-day","argument injection"],"_cs_type":"threat","_cs_vendors":["Gogs"],"content_html":"\u003cp\u003eA zero-day vulnerability has been discovered in Gogs, a self-hosted Git service, affecting versions 0.14.2 and 0.15.0+dev. This critical severity flaw is an argument injection vulnerability that allows authenticated attackers to execute arbitrary code remotely on Internet-facing Gogs instances with default configurations. The vulnerability stems from a failure to properly sanitize input during the \u0026ldquo;Rebase before merging\u0026rdquo; merge operation, specifically within the Merge() function. An attacker can exploit this flaw by creating a malicious branch name within a pull request. This issue was reported to Gogs maintainers on March 17, 2026, but remains unpatched as of May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker registers a new user account on a Gogs instance due to open registration being enabled by default.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new repository as the newly registered user. There are no limits to repository creation on default-configured instances.\u003c/li\u003e\n\u003cli\u003eThe attacker, now the owner of the repository, enables the \u0026ldquo;Rebase before merging\u0026rdquo; option in the repository settings.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious branch with a specially crafted name designed to inject the \u0026ldquo;—exec\u0026rdquo; flag into the \u003ccode\u003egit rebase\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a pull request targeting the main branch, incorporating the malicious branch.\u003c/li\u003e\n\u003cli\u003eThe Gogs server attempts to perform a \u0026ldquo;Rebase before merging\u0026rdquo; operation, triggering the vulnerability due to the injected arguments.\u003c/li\u003e\n\u003cli\u003eThe injected \u003ccode\u003egit rebase\u003c/code\u003e command executes arbitrary code as the Gogs server process user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the Gogs server, allowing them to read all repositories, dump credentials, pivot to other systems, and modify any hosted repository\u0026rsquo;s code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code remotely as the Gogs server process user. This grants them the ability to compromise the server, access all repositories (including private ones), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository\u0026rsquo;s code. Shadowserver tracks over 2,400 Gogs servers exposed online, and Shodan identifies over 1,000 IP addresses with a Gogs fingerprint, making this a widespread threat. In December 2025, CVE-2025-8110, another Gogs RCE vulnerability, was actively exploited to compromise hundreds of servers, highlighting the potential for rapid exploitation of this new flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUntil a patch is available, consider disabling open registration (\u003ccode\u003eDISABLE_REGISTRATION = true\u003c/code\u003e) to prevent unauthenticated users from creating accounts and repositories.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unexpected \u003ccode\u003egit rebase\u003c/code\u003e commands originating from the Gogs server process, using the \u0026ldquo;Detect Suspicious Git Rebase Command Execution\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for suspicious outbound connections originating from Gogs servers, which could indicate successful exploitation and lateral movement, using the \u0026ldquo;Detect Outbound Connection from Gogs Server\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden Gogs configurations to limit repository creation (\u003ccode\u003eMAX_CREATION_LIMIT\u003c/code\u003e) to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T14:26:36Z","date_published":"2026-05-28T14:26:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gogs-rce/","summary":"An unpatched argument injection vulnerability in Gogs (versions 0.14.2 and 0.15.0+dev) allows authenticated attackers to achieve remote code execution (RCE) on vulnerable instances, potentially leading to complete server compromise.","title":"Gogs Zero-Day Vulnerability Enables Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-gogs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Gogs 0.15.0+dev","version":"https://jsonfeed.org/version/1.1"}