CVE-2026-25242
Last modified
CVE-2026-25242 is a medium-severity vulnerability rated 6.9/10 on the CVSS scale. Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. EPSS estimates a 0.62% chance of exploitation in the next 30 days.
Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gogs | Gogs | < 0.14.1 |
References
- https://github.com/gogs/gogs/pull/8128Issue Tracking
- https://github.com/gogs/gogs/releases/tag/v0.14.1Release Notes
- https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36fExploit, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25242?
How severe is CVE-2026-25242?
How do I fix CVE-2026-25242?
Are you affected by CVE-2026-25242?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST