Platform
go
Component
gogs.io/gogs
Fixed in
0.14.1
0.13.5
0.13.4
CVE-2026-24135 describes a Path Traversal vulnerability discovered in Gogs, a self-hosted Git service. This vulnerability allows an attacker to delete arbitrary files on the server by manipulating wiki page updates. The vulnerability affects versions prior to 0.13.4. A fix has been released in version 0.13.4.
The primary impact of this vulnerability is the potential for arbitrary file deletion. An attacker who can successfully exploit this flaw could delete critical system files, configuration files, or application data, leading to a denial of service or even complete compromise of the Gogs server. The ability to delete files grants significant control over the affected system, potentially enabling further malicious actions. While the advisory notes potential false positives from vulnerability scanners, the core risk remains the ability to delete files via crafted wiki page updates.
This CVE was published on 2026-02-17. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV. The advisory mentions potential false positives from vulnerability scanners, suggesting the vulnerability may be difficult to reliably detect without direct exploitation attempts.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The recommended mitigation is to immediately upgrade Gogs to version 0.13.4 or later. If upgrading is not immediately feasible, consider implementing strict access controls to limit who can modify wiki pages. While a direct workaround is not available, restricting file system access for the Gogs process can limit the damage an attacker can inflict. Monitor Gogs logs for unusual file deletion attempts. After upgrading, verify the integrity of critical files and directories to ensure no unauthorized modifications occurred.
Actualice Gogs a la versión 0.13.4 o superior. Alternativamente, actualice a la versión 0.14.0+dev o superior. Estas versiones contienen la corrección para la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24135 is a Path Traversal vulnerability in Gogs affecting versions before 0.13.4, allowing attackers to delete arbitrary files.
If you are running Gogs versions prior to 0.13.4, you are potentially affected by this vulnerability.
Upgrade Gogs to version 0.13.4 or later to remediate the vulnerability. Restrict file system access for the Gogs process as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the potential for exploitation exists.
Refer to the Gogs security advisory for detailed information and updates: [https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.