Description
Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.
Published: 2026-06-24
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs allows an authorized user to supply a value that bypasses path filtering in the git diff command, enabling writes to arbitrary locations on the file system, potentially overwriting critical files and causing a denial of service.

Affected Systems

Gogs instances running any version earlier than 0.14.0 are vulnerable. The issue exists for all deployments of gogs:gogs before the patch.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV. It is exploitable only by an authenticated user with write access through the Git interface. Once exploited, an attacker can overwrite critical files and potentially cause application downtime or corruption.

Generated by OpenCVE AI on June 25, 2026 at 00:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gogs 0.14.0 or later to receive the fix for the arbitrary file write issue.
  • Enforce least privilege on Git user accounts, ensuring they cannot trigger arbitrary git diff operations with crafted inputs.
  • Restrict writes to critical directories by applying file system permissions or chroot constraints.

Generated by OpenCVE AI on June 25, 2026 at 00:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pm6v-2h4w-4rp2 Gogs: Overwriting critical files results in a denial of service
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.
Title Gogs: Overwriting critical files results in a denial of service
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:35:09.235Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52797

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')