CVE-2026-25242

Sažetak

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

Reference

https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3
https://github.com/gogs/gogs/pull/8128
https://github.com/gogs/gogs/releases/tag/v0.14.1
https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

19-02-2026 - 19:46

Objavljeno

19-02-2026 - 07:17