CVE-2026-52806

CRITICAL 9.9

Gogs: RCE via git rebase --exec argument injection in pull request merge

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

CWE	CWE-77
Vendor	gogs
Product	gogs
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new critical vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

gogs / gogs

< 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9 github.com: https://github.com/gogs/gogs/pull/8301 github.com: https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364 github.com: https://github.com/gogs/gogs/releases/tag/v0.14.3