A critical remote code execution bug in Gogs, a self-hosted Git service, remains unpatched despite being reported to project maintainers in mid-March, allowing any authenticated user to fully compromise vulnerable servers1. The 9.4-rated flaw can be exploited to steal credentials, multi-factor authentication secrets, and modify code in hosted repositories, posing a significant threat to supply-chain security. An exploit module is now publicly available, increasing the risk of widespread attacks. The vulnerability can be exploited on default installations without requiring special privileges, making it a significant concern for organizations using the service. The lack of a patch despite the report makes it essential for users to take alternative measures to secure their systems. This vulnerability matters to practitioners as it highlights the importance of timely patching and the need for proactive security measures to prevent potential attacks.