Vulnerability Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gogs | Gogs | < 0.14.1 |
Related Weaknesses (CWE)
References
- https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3Patch
- https://github.com/gogs/gogs/pull/8128Issue Tracking
- https://github.com/gogs/gogs/releases/tag/v0.14.1Release Notes
- https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36fExploitPatchVendor Advisory
FAQ
What is CVE-2026-25242?
CVE-2026-25242 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any ...
How severe is CVE-2026-25242?
CVE-2026-25242 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-25242?
Check the references section above for vendor advisories and patch information. Affected products include: Gogs Gogs.