Plattform
go
Komponente
gogs.io/gogs
Behoben in
0.14.1
0.13.5
0.13.4
CVE-2026-24135 describes a Path Traversal vulnerability discovered in Gogs, a self-hosted Git service. This vulnerability allows an attacker to delete arbitrary files on the server by manipulating wiki page updates. The vulnerability affects versions prior to 0.13.4. A fix has been released in version 0.13.4.
The primary impact of this vulnerability is the potential for arbitrary file deletion. An attacker who can successfully exploit this flaw could delete critical system files, configuration files, or application data, leading to a denial of service or even complete compromise of the Gogs server. The ability to delete files grants significant control over the affected system, potentially enabling further malicious actions. While the advisory notes potential false positives from vulnerability scanners, the core risk remains the ability to delete files via crafted wiki page updates.
This CVE was published on 2026-02-17. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV. The advisory mentions potential false positives from vulnerability scanners, suggesting the vulnerability may be difficult to reliably detect without direct exploitation attempts.
Self-hosted Gogs instances running versions prior to 0.13.4 are at risk. This includes organizations using Gogs for internal Git repositories and development teams relying on Gogs for code management. Shared hosting environments running Gogs are particularly vulnerable due to the potential for cross-tenant exploitation.
• go / binary: Examine Gogs binary for suspicious file deletion functions called during wiki page update processing.
• linux / server: Monitor Gogs logs (typically in /var/log/gogs/) for unusual file deletion attempts, especially those involving paths outside of the intended wiki directory. Use journalctl -u gogs to filter relevant logs.
• generic web: Monitor web server access logs for requests to wiki update endpoints with unusual path parameters. Use curl -v <gogsurl>/<wikiupdate_endpoint> to test for path traversal.
disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
The recommended mitigation is to immediately upgrade Gogs to version 0.13.4 or later. If upgrading is not immediately feasible, consider implementing strict access controls to limit who can modify wiki pages. While a direct workaround is not available, restricting file system access for the Gogs process can limit the damage an attacker can inflict. Monitor Gogs logs for unusual file deletion attempts. After upgrading, verify the integrity of critical files and directories to ensure no unauthorized modifications occurred.
Actualice Gogs a la versión 0.13.4 o superior. Alternativamente, actualice a la versión 0.14.0+dev o superior. Estas versiones contienen la corrección para la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24135 is a Path Traversal vulnerability in Gogs affecting versions before 0.13.4, allowing attackers to delete arbitrary files.
If you are running Gogs versions prior to 0.13.4, you are potentially affected by this vulnerability.
Upgrade Gogs to version 0.13.4 or later to remediate the vulnerability. Restrict file system access for the Gogs process as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the potential for exploitation exists.
Refer to the Gogs security advisory for detailed information and updates: [https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.