Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker-controlled redirect_to parameter in Gogs redirects users to arbitrary external URLs, enabling phishing or malicious site visits. The flaw arises because the IsSameSite function only checks the first two characters of the URL, allowing directory traversal and backslashes to bypass validation. This weakness is categorized as CWE‑601 and can compromise user trust without giving the attacker direct code execution.

Affected Systems

All Gogs installations prior to version 0.14.3 are affected. The vulnerability impacts all redirects that use the redirect_to parameter and are validated through the vulnerable IsSameSite function.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not available, meaning no current data on exploitation likelihood. The issue is not listed in CISA KEV. Attackers can exploit the flaw by crafting URLs with manipulated redirect_to values that bypass validation, redirecting victims to malicious sites. No authentication or privileged access is required, making the attack vector relatively low effort.

Generated by OpenCVE AI on June 24, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later, which implements proper redirect validation.
  • If an upgrade is not possible, remove or neutralize the redirect_to parameter in the application code so that only internal redirects are allowed.
  • Deploy a security rule that blocks or scrutinizes URLs containing redirect_to that point to external domains, mitigating the risk of malformed redirects.

Generated by OpenCVE AI on June 24, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxhq-69mf-w8cr Gogs has an Open Redirect via redirect_to
History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.
Title Gogs: Open Redirect via redirect_to in Gogs
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:52:07.981Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52802

cve-icon Vulnrichment

Updated: 2026-06-25T15:51:36.165Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')