Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, "}") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs allows repository owners to configure an issue index pattern that is displayed for issue references. A malformed pattern that begins with an opening brace but lacks a closing brace causes the internal rendering routine to panic. When a user visits any page containing an issue reference, the application crashes and becomes unavailable, effectively denying service for that repository.

Affected Systems

The vulnerability affects the Gogs open‑source self‑hosted Git service version 0.14.2 and earlier. Versions 0.14.3 and later contain the fix.

Risk and Exploitability

The CVSS score of 3.5 indicates a low to moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting limited active exploitation. The attack requires the ability to modify the repository configuration to insert the malicious pattern, which would typically be an authenticated user with administrative rights. Once the flag is set, any issue reference triggers a crash, resulting in an immediate denial of service for all visitors to the affected pages.

Generated by OpenCVE AI on June 24, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later, which patches the rendering logic.
  • Verify the issue index pattern in the repository configuration and correct any unclosed braces or remove the pattern entirely.
  • As a temporary workaround, disable or reset the custom issue index pattern to the default setting while awaiting the patch.

Generated by OpenCVE AI on June 24, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4j89-2c4f-44c6 Gogs has DoS in rendering issue index pattern
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, "}") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3.
Title Gogs: DoS in rendering issue index pattern
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:13:11.884Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52796

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses
  • CWE-1336

    Improper Neutralization of Special Elements Used in a Template Engine