CVE-2026-25242

UNKNOWN 0.0

Gogs allows unauthenticated file uploads

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

CWE	CWE-862
Vendor	gogs
Product	gogs
Published	Feb 19, 2026
Last Updated	Feb 19, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new unknown vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gogs / gogs

< 0.14.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f github.com: https://github.com/gogs/gogs/pull/8128 github.com: https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3 github.com: https://github.com/gogs/gogs/releases/tag/v0.14.1