Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Gogs allows a user with permission to create files in a repository or wiki to trigger a denial of service. When such a file is added, the server attempts to recover commit information for the listing pages. If the recovery fails, the page returns an HTTP 500 error and the web interface for that repository or wiki becomes unusable. The weakness is identified as improper input validation (CWE-20).

Affected Systems

The affected product is Gogs, an open‑source self‑hosted Git service. Versions prior to 0.14.3 are vulnerable. Any instance hosting repositories or wiki pages where untrusted users have write access is at risk, as the DoS can be targeted to a specific repository or wiki.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity. The EPSS score is not available, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user with rights to create a new file; thus local or authorized users can trigger the denial. Because the impact is limited to a single repository or wiki, the overall risk is moderate, but it can effectively disrupt service for affected users or teams.

Generated by OpenCVE AI on June 24, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or newer.
  • Restrict write permissions for untrusted users to prevent malicious file creation.
  • If an upgrade is not immediately possible, monitor affected repositories for HTTP 500 errors and isolate them to prevent cascading impact.

Generated by OpenCVE AI on June 24, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3qq3-668m-v9mj Gogs has a Denial of Service in repository/wiki file listing web pages
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition in which the pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki. The issue is present in file internal/route/repo/wiki.go and internal/route/repo/view.go where the pages try to recover commit information. If errors are returned while recovering commit information, the page will return a 500 error and stop rendering, resulting in a denial of service. This vulnerability is fixed in 0.14.3.
Title Gogs: Denial of Service in repository/wiki file listing web pages
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:03:07.239Z

Reserved: 2025-11-10T14:07:42.922Z

Link: CVE-2025-64719

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-20

    Improper Input Validation