VDB
CVE-2026-25242
CVE-2026-25242
PUBLISHED
CVSS 6.900000095367432 MEDIUM
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
EPSS 0.10% · 27.3th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.10%
27.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| gogs | gogs | < 0.14.1, 0, < 0.14.1 |
| gogs.io | gogs | 0, 0 |
Timeline
- Feb 17, 2026 CVE Published
- Feb 19, 2026 CVE Updated
- Feb 19, 2026 EPSS Score
- Feb 19, 2026 PoC Published
- Feb 21, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 24, 2026 EPSS Score
- Feb 26, 2026 EPSS Score
- Feb 27, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
References
- https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f url
- https://github.com/gogs/gogs/pull/8128 url
- https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3 url
- https://github.com/gogs/gogs/releases/tag/v0.14.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-25242 advisory
- https://github.com/gogs/gogs package