This vulnerability allows an attacker who is authenticated and has write access to a Gogs repository’s wiki to delete arbitrary files on the host system. By manipulating the old_title parameter during a wiki page edit, the attacker can cause the updateWikiPage function to remove files beyond the intended wiki directory. The impact is loss of confidential data, configuration files, or application code, potentially leading to denial of service or destruction of critical assets. The underlying weakness is a classic path traversal flaw (CWE‑22).

The flaw exists in Gogs versions 0.13.3 and earlier, including the 0.13.x series and all 0.14.0 build releases prior to the fix. It is present in the self‑hosted Git service that uses the Gogs application bundle.

With a CVSS score of 7.2, the vulnerability is considered high severity. The likelihood of exploitation is currently very low (EPSS < 1 %) and it is not listed in CISA’s KEV catalog, suggesting no widespread public exploitation is known. However, the attack requires authentication with write access to a wiki, which is often granted to developers or contributors, making the risk significant for organizations that give such privileges broadly. The absence of a public exploit does not mitigate the threat, as the path traversal logic is straightforward for a skilled attacker with local write access.