Vulnerability-Lookup

CVE-2026-25242 (GCVE-0-2026-25242)

Vulnerability from cvelistv5 – Published: 2026-02-19 02:28 – Updated: 2026-02-19 17:44

Title

Gogs allows unauthenticated file uploads

Summary

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/gogs/gogs/security/advisories/…	x_refsource_CONFIRM
	https://github.com/gogs/gogs/pull/8128	x_refsource_MISC
	https://github.com/gogs/gogs/commit/628216d5889fc…	x_refsource_MISC
	https://github.com/gogs/gogs/releases/tag/v0.14.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	gogs	gogs	Affected: < 0.14.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25242",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-19T17:23:29.408186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-19T17:44:40.834Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T02:28:40.140Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8128",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8128"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3"
        },
        {
          "name": "https://github.com/gogs/gogs/releases/tag/v0.14.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/releases/tag/v0.14.1"
        }
      ],
      "source": {
        "advisory": "GHSA-fc3h-92p8-h36f",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs allows unauthenticated file uploads"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25242",
    "datePublished": "2026-02-19T02:28:40.140Z",
    "dateReserved": "2026-01-30T14:44:47.329Z",
    "dateUpdated": "2026-02-19T17:44:40.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25242\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-19T07:17:45.687\",\"lastModified\":\"2026-02-19T15:52:39.260\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/pull/8128\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/releases/tag/v0.14.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-FC3H-92P8-H36F

Vulnerability from github – Published: 2026-02-17 18:44 – Updated: 2026-02-17 18:44

Summary

Unauthenticated File Upload in Gogs

Details

Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research

Summary

Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.

Affected Versions

Software: Gogs
Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca038331e
Likely Affected: All versions since 2020-04-05 with unauthenticated attachments endpoints
Introduced Commit: 07818d5fa

Vulnerability Details

The web.go router exposes the following endpoints under the ignSignIn route group:

Vulnerable Code Snippet

m.Post("/issues/attachments", repo.UploadIssueAttachment)
m.Post("/releases/attachments", repo.UploadReleaseAttachment)

These endpoints are accessible by unauthenticated users if the configuration variable RequireSigninView is false (default). This allows arbitrary file uploads to data/attachments, returning a UUID in response.

While CSRF protection is enabled, attackers can obtain a valid token anonymously from the site and use it in the upload request without authentication.

Description

Anonymous file upload using only default configuration and a CSRF token obtained from the homepage.

POC

# Run Gogs docker 
docker start gogs

# Software will be run on http://localhost:10880/. Finish the setup with local Sqlite database

# Get CSRF cookie into a jar
curl -sS -c cookies.txt http://localhost:10880/ -o /dev/null

# Extract the _csrf value from the jar
CSRF="$(awk '$6=="_csrf"{print $7}' cookies.txt | tail -n1)"

# Upload the file, sending cookie jar + header
curl -sS \
  -b cookies.txt -c cookies.txt \
  -H "X-CSRF-Token: $CSRF" \
  -H "Referer: http://localhost:10880/" \
  -F "file=@image.png" \
  http://localhost:10880/issues/attachments

 => {"uuid":"<UUID>"}

The attachment will be available at: http://localhost:10880/attachments/

Impact

Unrestricted File Upload: Attackers can store arbitrary content on the server. Denial-of-Service: Repeated uploads can exhaust disk space. Malware Hosting: Gogs may inadvertently serve attacker-hosted payloads under its domain.

Realistic Exploitation Scenarios

Spammers or malicious actors use the Gogs instance to host phishing payloads or malware.
Attackers fill up disk with repeated uploads.
Attackers use hosted Gogs instances as public file dumps (e.g., for P2P, exfiltration)

Potential Impact

This unauthenticated upload vector effectively turns any Gogs instance into a file hosting platform open to the public. This is especially dangerous for production or Internet-exposed installations. The combination of no login requirement, wildcard MIME support, and unrestricted access to attachments enables both resource abuse and potential malware distribution.

Timeline

August 2025: Discovered via GPT5
August 2025: Reproduced and confirmed via PoC and sanitizer
Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new

Severity ?

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T18:44:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Security Advisory:Unauthenticated File Upload in Gogs\nVulnerability Type: Unauthenticated File Upload\nDate: Aug 5, 2025\nDiscoverer: OpenAI Security Research\n\n## Summary\nGogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.\n\n## Affected Versions\n\n- Software: [Gogs](https://github.com/gogs/gogs/tree/main)\n- Confirmed Version(s): 28f83626d4ed0aa7b89493be2ea8b79ca038331e\n- Likely Affected: All versions since 2020-04-05 with unauthenticated attachments endpoints\n- Introduced Commit: 07818d5fa\n\n## Vulnerability Details\nThe web.go router exposes the following endpoints under the ignSignIn route group:\n\n### Vulnerable Code Snippet\n```\nm.Post(\"/issues/attachments\", repo.UploadIssueAttachment)\nm.Post(\"/releases/attachments\", repo.UploadReleaseAttachment)\n```\nThese endpoints are accessible by unauthenticated users if the configuration variable RequireSigninView is false (default). This allows arbitrary file uploads to data/attachments, returning a UUID in response.\n\nWhile CSRF protection is enabled, attackers can obtain a valid token anonymously from the site and use it in the upload request without authentication.\n## Description\nAnonymous file upload using only default configuration and a CSRF token obtained from the homepage.\n## POC\n```\n# Run Gogs docker \ndocker start gogs\n\n# Software will be run on http://localhost:10880/. Finish the setup with local Sqlite database\n\n# Get CSRF cookie into a jar\ncurl -sS -c cookies.txt http://localhost:10880/ -o /dev/null\n\n# Extract the _csrf value from the jar\nCSRF=\"$(awk \u0027$6==\"_csrf\"{print $7}\u0027 cookies.txt | tail -n1)\"\n\n# Upload the file, sending cookie jar + header\ncurl -sS \\\n  -b cookies.txt -c cookies.txt \\\n  -H \"X-CSRF-Token: $CSRF\" \\\n  -H \"Referer: http://localhost:10880/\" \\\n  -F \"file=@image.png\" \\\n  http://localhost:10880/issues/attachments\n\n =\u003e {\"uuid\":\"\u003cUUID\u003e\"}\n```\nThe attachment will be available at: http://localhost:10880/attachments/\u003cuuid\u003e\n\n## Impact\n**Unrestricted File Upload:** Attackers can store arbitrary content on the server.\n**Denial-of-Service:** Repeated uploads can exhaust disk space.\n**Malware Hosting:** Gogs may inadvertently serve attacker-hosted payloads under its domain.\n\n## Realistic Exploitation Scenarios\n\n- Spammers or malicious actors use the Gogs instance to host phishing payloads or malware.\n- Attackers fill up disk with repeated uploads.\n- Attackers use hosted Gogs instances as public file dumps (e.g., for P2P, exfiltration)\n\n## Potential Impact\nThis unauthenticated upload vector effectively turns any Gogs instance into a file hosting platform open to the public. This is especially dangerous for production or Internet-exposed installations. The combination of no login requirement, wildcard MIME support, and unrestricted access to attachments enables both resource abuse and potential malware distribution.\n\n## Timeline\n\n- August 2025: Discovered via GPT5\n- August 2025: Reproduced and confirmed via PoC and sanitizer\n- Aug 6, 2025 - Sent to Gogs via https://github.com/gogs/gogs/security/advisories/new",
  "id": "GHSA-fc3h-92p8-h36f",
  "modified": "2026-02-17T18:44:07Z",
  "published": "2026-02-17T18:44:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated File Upload in Gogs"
}

WID-SEC-W-2026-0423

Vulnerability from csaf_certbund - Published: 2026-02-15 23:00 - Updated: 2026-02-15 23:00

Summary

Gogs: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Gogs ist ein einfacher Git-Server.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Gogs ausnutzen, um Dateien zu manipulieren, Sicherheitsmaßnahmen zu umgehen oder Administratorrechte zu erlangen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Gogs ist ein einfacher Git-Server.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Gogs ausnutzen, um Dateien zu manipulieren, Sicherheitsma\u00dfnahmen zu umgehen oder Administratorrechte zu erlangen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0423 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0423.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0423 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0423"
      },
      {
        "category": "external",
        "summary": "Gogs GitHub vom 2026-02-15",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p"
      },
      {
        "category": "external",
        "summary": "Gogs GitHub vom 2026-02-15",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh"
      },
      {
        "category": "external",
        "summary": "Gogs GitHub vom 2026-02-15",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f"
      },
      {
        "category": "external",
        "summary": "Gogs GitHub vom 2026-02-15",
        "url": "https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7"
      }
    ],
    "source_lang": "en-US",
    "title": "Gogs: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-02-15T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-16T11:35:26.593+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0423",
      "initial_release_date": "2026-02-15T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-02-15T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c0.14.1",
                "product": {
                  "name": "Open Source Gogs \u003c0.14.1",
                  "product_id": "T050921"
                }
              },
              {
                "category": "product_version",
                "name": "0.14.1",
                "product": {
                  "name": "Open Source Gogs 0.14.1",
                  "product_id": "T050921-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gogs:gogs:0.14.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Gogs"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-25120",
      "product_status": {
        "known_affected": [
          "T050921"
        ]
      },
      "release_date": "2026-02-15T23:00:00.000+00:00",
      "title": "CVE-2026-25120"
    },
    {
      "cve": "CVE-2026-25229",
      "product_status": {
        "known_affected": [
          "T050921"
        ]
      },
      "release_date": "2026-02-15T23:00:00.000+00:00",
      "title": "CVE-2026-25229"
    },
    {
      "cve": "CVE-2026-25232",
      "product_status": {
        "known_affected": [
          "T050921"
        ]
      },
      "release_date": "2026-02-15T23:00:00.000+00:00",
      "title": "CVE-2026-25232"
    },
    {
      "cve": "CVE-2026-25242",
      "product_status": {
        "known_affected": [
          "T050921"
        ]
      },
      "release_date": "2026-02-15T23:00:00.000+00:00",
      "title": "CVE-2026-25242"
    }
  ]
}

FKIE_CVE-2026-25242

Vulnerability from fkie_nvd - Published: 2026-02-19 07:17 - Updated: 2026-02-19 15:52

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3
	security-advisories@github.com	https://github.com/gogs/gogs/pull/8128
	security-advisories@github.com	https://github.com/gogs/gogs/releases/tag/v0.14.1
	security-advisories@github.com	https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1."
    }
  ],
  "id": "CVE-2026-25242",
  "lastModified": "2026-02-19T15:52:39.260",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-19T07:17:45.687",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/pull/8128"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25242 (GCVE-0-2026-25242)

GHSA-FC3H-92P8-H36F

Summary

Affected Versions

Vulnerability Details

Vulnerable Code Snippet

Description

POC

Impact

Realistic Exploitation Scenarios

Potential Impact

Timeline

WID-SEC-W-2026-0423

FKIE_CVE-2026-25242

Tags

Sightings

Nomenclature