CVE-2026-52802: Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to p...

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS 3.0

/10

EPSS Probability

0.55%

42.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

References

Timeline

Published: Jun 24, 2026
Last Modified: Jun 25, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2026-52802?

Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.

How severe is CVE-2026-52802?

CVE-2026-52802 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.55% probability of exploitation in the next 30 days.

How do I fix CVE-2026-52802?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.