CVE-2026-52813

Published Jun 24, 2026

Last updated 3 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-52813 is a path traversal vulnerability found in Gogs, an open-source self-hosted Git service, affecting all versions prior to 0.14.3. The flaw stems from Gogs accepting organization names that contain path traversal sequences (e.g., "../"), which are then used to construct filesystem paths without proper sanitization. This vulnerability allows an attacker to store or retrieve repository data at arbitrary locations on the filesystem. By creating a nested structure of Git repositories, an attacker can overwrite the Git hooks configuration of another repository, ultimately leading to Remote Code Execution (RCE).

Description: Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Source: security-advisories@github.com
NVD status: Deferred

Risk scores

CVSS 3.1

Type: Secondary
Base score: 10
Impact score: 6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-23

Hype score: Not currently trending

References