A critical argument injection vulnerability has been discovered in Gogs, a self-hosted Git service, allowing authenticated users to execute remote code on the server. This vulnerability, scored 9.4 on the CVSSv4 scale, enables attackers to inject malicious commands into the git rebase function during a merge operation by creating a pull request with a specially crafted branch name. The exploit requires no administrative privileges, making it accessible to any authenticated user. The vulnerability is particularly concerning as it remains unfixed by the vendor at the time of publication1. This lack of a patch leaves Gogs users exposed to potential attacks, highlighting the need for alternative mitigation strategies. The ability to achieve remote code execution on the server makes this vulnerability a significant concern for security practitioners, as it could be leveraged to gain unauthorized access to sensitive data and systems.
Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
⚠️ Critical Alert
Why This Matters
The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the.
References
- Rapid7. (2026, May 28). Authenticated RCE via Argument Injection in Gogs (NOT FIXED). Rapid7 Blog. https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed
Original Source
Rapid7 Blog
Read original →