Improper Neutralization of Argument Delimiters in a Command in gogs - #VU132782
Published: May 29, 2026
Vulnerability identifier: #VU132782
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to argument injection in the Merge() function in internal/database/pull.go when processing a pull request with a malicious branch name during the "Rebase before merging" operation. A remote user can create a pull request with a specially crafted branch name to execute arbitrary code.
Exploitation requires rebase merging to be enabled on the target repository and does not require interaction from other users.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.