CVE-2026-23633 — Vulnetix

CVE-2026-23633 PUBLISHED CVSS 6.5 MEDIUM

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

EPSS 0.03% · 9.6th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.03%

9.6th percentile

Affected Products

Vendor	Product	Versions
gogs	gogs	< 0.13.4, 0, < 0.14.0+dev
gogs.io	gogs	0, 0

Timeline

Feb 6, 2026 CVE Published
Feb 7, 2026 EPSS Score
Feb 9, 2026 EPSS Score
Feb 11, 2026 EPSS Score
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 17, 2026 EPSS Score
Feb 19, 2026 EPSS Score
Feb 21, 2026 EPSS Score
Feb 23, 2026 EPSS Score
Feb 25, 2026 EPSS Score
Feb 27, 2026 EPSS Score

References

https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g url
https://nvd.nist.gov/vuln/detail/CVE-2026-23633 advisory
https://github.com/gogs/gogs/commit/4894629903f9508fe85567c44f68804f008f1655 url
https://github.com/gogs/gogs package
https://github.com/gogs/gogs/releases/tag/v0.13.4 url

Open in Interactive Console →