CVE-2026-23633

Gogs has arbitrary file read/write via path traversal in Git hook editing

CVSS 6.5 MEDIUMEPSS 0.5%CWE-22

In short

Gogs allows attackers to read or write arbitrary files on the server by exploiting path traversal in the Git hook editing feature. This can lead to unauthorized data access or system compromise.

Technical detail

A path traversal vulnerability (CWE-22) in Gogs Git hook editor allows authenticated or unauthenticated attackers to escape the intended directory context using directory traversal sequences, enabling arbitrary file read/write operations with the privileges of the Gogs process.

Summary generated and translated by AI from the official description.

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Affected products

gogs · gogs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g