Path traversal in gogs - #VU133268
Published: June 3, 2026
Vulnerability identifier: #VU133268
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to path traversal in the POST /:user/:repo/_preview/:branch/:path_to_file endpoint when processing a user-controlled path passed to the git diff command. A remote user can supply a crafted path using the --output option to overwrite critical files and cause a denial of service.
The issue requires an authorized user account and can be used to overwrite files such as the database or configuration file.
Remediation
Install security update from vendor's website.