Primary

Context

Gogs Remote Command Execution Vulnerability

Vulnerability

Patched

A remote command execution vulnerability exists in Gogs versions through 0.13.3. This issue arises from an inadequate fix for a previous vulnerability, allowing files in the .git directory to be modified via the repository contents API. The vulnerability can be exploited by updating the .git/config file, which triggers the execution of arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for remote command execution on the server where Gogs is hosted.

Reproduction

To reproduce this vulnerability, first create a symbolic link to the .git/config file and push it to a repository. Then, use the API router to update the linked file with a payload that includes a command to be executed. This can be done by sending a PUT request to the repository contents API with the appropriate authorization token and the crafted content that includes the command.

Remediation

Users can upgrade to Gogs versions 0.13.4 or 0.14.0+dev to address this vulnerability.

Added: Feb 6, 2026, 5:24 PM

Updated: Feb 7, 2026, 12:05 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.6

remediation

7.7

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.6

remediation

7.7

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gogs Remote Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gogs

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating