Main Vulnerability Database SB2025121160

SB2025121160 - Remote code execution via path traversal in Gogs

Published: December 11, 2025 Updated: April 27, 2026

Security Bulletin ID SB2025121160

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2025-8110)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to improper symbolic link handling in the PutContents API caused by insufficient patch for #VU119868 (CVE-2024-55947). A remote user can write file to arbitrary location on the system and execute arbitrary code.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit