CVE-2026-52806

Published Jun 24, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-52806 is a Remote Code Execution (RCE) vulnerability affecting Gogs, an open-source self-hosted Git service. This flaw allows authenticated users to execute arbitrary commands on the server. The vulnerability stems from improper input sanitization within the `Merge` function in Gogs, specifically when handling the `git rebase` command during a "Rebase before merging" operation. An attacker can craft a pull request with a specially designed branch name that injects the `--exec` flag into the `git rebase` command, leading to the execution of arbitrary shell commands on the Gogs server. This issue has been addressed in Gogs version 0.14.3.

Description: Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.
Source: security-advisories@github.com
NVD status: Deferred

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.9
Impact score: 6
Exploitability score: 3.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-77

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 4

References