Все бюллетени/sisyphus/ALT-PU-2026-9970-2
ALT-PU-2026-9970-2

Обновление пакета gogs в ветке sisyphus

Версия0.14.3-alt1
Задание#422609
Опубликовано2026-06-25
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (42)

BDU:2025-15737
HIGH8.8

Уязвимость прикладного программного интерфейса PutContents программного средства создания самоуправляемых Git-репозиториев Gogs, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2025-12-14Изменено: 2026-04-20
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
Ссылки
BDU:2026-02143
CRITICAL9.8

Уязвимость функций UploadIssueAttachment() и UploadReleaseAttachment() программного средства создания самоуправляемых Git-репозиториев Gogs, позволяющая нарушителю вызвать отказ в обслуживании и выполнить произвольный код

Опубликовано: 2026-02-24
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2026-05190
CRITICAL9.3

Уязвимость программного средства создания самоуправляемых Git-репозиториев Gogs, связанная с недостаточной проверкой подлинности данных, позволяющая нарушителю перезаписывать объекты LFS

Опубликовано: 2026-04-13
CVSS 3.xКРИТИЧЕСКАЯ 9.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:P
Ссылки
BDU:2026-06147
MEDIUM6.1

Уязвимость функции safe() программного средства создания самоуправляемых Git-репозиториев Gogs, позволяющая нарушителю проводить межсайтовые сценарные атаки

Опубликовано: 2026-04-29
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0СРЕДНЯЯ 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
Ссылки
BDU:2026-06148
MEDIUM5.3

Уязвимость реализации прикладного программного интерфейса программного средства создания самоуправляемых Git-репозиториев Gogs, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2026-04-29
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
Ссылки
BDU:2026-06149
HIGH7.3

Уязвимость программного средства создания самоуправляемых Git-репозиториев Gogs, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки

Опубликовано: 2026-04-29
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2026-06150
HIGH8.7

Уязвимость программного средства создания самоуправляемых Git-репозиториев Gogs, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки

Опубликовано: 2026-04-29
CVSS 3.xВЫСОКАЯ 8.7
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2026-06151
HIGH7.3

Уязвимость программного средства создания самоуправляемых Git-репозиториев Gogs, связанная с внедрением или модификацией аргументов, позволяющая нарушителю оказать воздействие на целостность и доступность защищаемой информации

Опубликовано: 2026-04-29
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:C/A:C
Ссылки
CVE-2025-64111
CRITICAL9.3

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0КРИТИЧЕСКАЯ 9.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2025-64175
HIGH7.7

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2025-8110
HIGH8.7

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Опубликовано: 2025-12-10Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:X/U:X
Ссылки
CVE-2026-22592
MEDIUM6.5

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2026-23632
MEDIUM6.5

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Ссылки
CVE-2026-23633
MEDIUM6.5

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Ссылки
CVE-2026-24135
HIGH7.2

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Опубликовано: 2026-02-06Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.2
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-25120
MEDIUM5.1

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.

Опубликовано: 2026-02-19Изменено: 2026-06-17
CVSS 3.xНИЗКАЯ 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVSS 4.0СРЕДНЯЯ 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-25229
MEDIUM5.3

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.

Опубликовано: 2026-02-19Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0СРЕДНЯЯ 5.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-25232
HIGH7.1

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Опубликовано: 2026-02-19Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-25242
MEDIUM6.9

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

Опубликовано: 2026-02-19Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-25921
CRITICAL9.3

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Ссылки
CVE-2026-26022
MEDIUM5.4

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2026-26194
HIGH8.8

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 8.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-26195
MEDIUM6.9

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-26196
MEDIUM6.9

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-26276
MEDIUM5.4

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.

Опубликовано: 2026-03-05Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Ссылки
GHSA-2c6v-8r3v-gh6p
HIGH7.1

Gogs has a Protected Branch Deletion Bypass in Web Interface

Опубликовано: 2026-02-17Изменено: 2026-02-19
CVSS 4.0ВЫСОКАЯ 7.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-5qhx-gwfj-6jqr
MEDIUM6.5

Gogs user can update repository content with read-only permission

Опубликовано: 2026-02-06Изменено: 2026-02-06
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Ссылки
GHSA-cj4v-437j-jq4c
CRITICAL9.3

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Опубликовано: 2026-03-05Изменено: 2026-03-05
CVSS 3.xКРИТИЧЕСКАЯ 9.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Ссылки
GHSA-cr88-6mqm-4g57
MEDIUM6.5

Gogs has a Denial of Service issue

Опубликовано: 2026-02-06Изменено: 2026-02-06
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-cv22-72px-f4gh
MEDIUM5.3

Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs

Опубликовано: 2026-02-17Изменено: 2026-02-19
CVSS 4.0СРЕДНЯЯ 5.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-fc3h-92p8-h36f
MEDIUM6.9

Unauthenticated File Upload in Gogs

Опубликовано: 2026-02-17Изменено: 2026-02-19
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-gg64-xxr9-qhjp
CRITICAL9.3

Gogs's update .git/config file allows remote command execution

Опубликовано: 2026-02-06Изменено: 2026-02-06
CVSS 4.0КРИТИЧЕСКАЯ 9.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-jj5m-h57j-5gv7
MEDIUM5.1

Gogs Allows Cross-Repository Comment Deletion via DeleteComment

Опубликовано: 2026-02-17Изменено: 2026-02-19
CVSS 4.0СРЕДНЯЯ 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Ссылки
GHSA-mq8m-42gh-wq7r
HIGH8.7

Gogs vulnerable to a bypass of CVE-2024-55947

Опубликовано: 2025-12-10Изменено: 2026-01-20
CVSS 4.0ВЫСОКАЯ 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
Ссылки
GHSA-mrph-w4hh-gx3g
MEDIUM6.5

Gogs has arbitrary file read/write via Path Traversal in Git hook editing

Опубликовано: 2026-02-06Изменено: 2026-02-06
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Ссылки
GHSA-p6x6-9mx6-26wj
HIGH7.7

Gogs Vulnerable to 2FA Bypass via Recovery Code

Опубликовано: 2026-02-06Изменено: 2026-02-06
CVSS 4.0ВЫСОКАЯ 7.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-v9vm-r24h-6rqm
HIGH8.8

Gogs: Release tag option injection in release deletion

Опубликовано: 2026-03-05Изменено: 2026-03-05
CVSS 4.0ВЫСОКАЯ 8.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Ссылки
GHSA-vgjm-2cpf-4g7c
HIGH7.3

Gogs: DOM-based XSS via milestone selection

Опубликовано: 2026-03-05Изменено: 2026-03-05
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Ссылки
GHSA-vgvf-m4fw-938j
MEDIUM6.9

Gogs: Stored XSS in branch and wiki views through author and committer names

Опубликовано: 2026-03-05Изменено: 2026-03-05
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-x9p5-w45c-7ffc
MEDIUM6.9

Gogs: Access tokens get exposed through URL params in API requests

Опубликовано: 2026-03-05Изменено: 2026-03-06
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Ссылки
GHSA-xrcr-gmf5-2r8j
HIGH8.7

Gogs: Stored XSS via data URI in issue comments

Опубликовано: 2026-03-05Изменено: 2026-03-05
CVSS 3.xВЫСОКАЯ 8.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Ссылки