Main Vulnerability Database Vulnerabilities #VU134914

Server-Side Request Forgery (SSRF) in gogs - CVE-2026-47267

Published: June 19, 2026

Vulnerability identifier: #VU134914

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-47267

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to access internal network resources.

The vulnerability exists due to server-side request forgery in webhook deliveries when following redirects from user-supplied webhook URLs. A remote user can configure a webhook that returns a redirect to an internal address to access internal network resources.

The issue can be exploited because redirects are followed even when the redirected hostname resolves inside local CIDR ranges.

How to mitigate CVE-2026-47267

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g

Server-Side Request Forgery (SSRF) in gogs - CVE-2026-47267

Detailed vulnerability description

How to mitigate CVE-2026-47267

Sources

Please verify you're human