Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Published: 2026-02-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read/Write via Path Traversal
Action: Patch
AI Analysis

Impact

The vulnerability in Gogs occurs when editing Git hook files, allowing an attacker to use directory traversal characters to read or write files anywhere on the host. This results in the ability to access sensitive configuration files, credentials, or to alter executable hook scripts, potentially leading to broader compromise of the system. The weakness is a classic path traversal flaw (CWE‑22).

Affected Systems

The CVE affects the open source Gogs self‑hosted Git service, specifically versions 0.13.3 and earlier. The issue has been addressed in version 0.13.4 and all subsequent releases, including 0.14.0 and later development builds. Systems running the vulnerable branches should be notified of the need to upgrade.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, while the EPSS score is reported as less than 1 %, suggesting a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface while editing Git hooks, enabling a remote authenticated user to inject traversal sequences and manipulate files outside the repository. If an attacker gains the necessary permissions, the impact can be significant, but the low exploitation likelihood and absence from KEV mitigate immediate threat concerns.

Generated by OpenCVE AI on April 18, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure Gogs is updated to version 0.13.4 or later, which contains the patch for the path traversal flaw.
  • If an immediate upgrade is not possible, restrict the ability to edit Git hooks to trusted administrators only and disable the hook editing feature for all other users in the web configuration.
  • Apply stricter file permissions on the hook directory, preventing write access to sensitive system locations, and monitor for any anomalous file modifications to detect potential abuse.

Generated by OpenCVE AI on April 18, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mrph-w4hh-gx3g Gogs has arbitrary file read/write via Path Traversal in Git hook editing
History

Tue, 17 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Title Gogs has arbitrary file read/write via path traversal in Git hook editing
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:53:26.328Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23633

cve-icon Vulnrichment

Updated: 2026-02-06T18:53:20.945Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:56.727

Modified: 2026-02-17T21:54:40.833

Link: CVE-2026-23633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses