CVE-2026-52811

UNKNOWN 0.0

Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.

CWE	CWE-22 CWE-59 CWE-61
Vendor	gogs
Product	gogs
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new unknown vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gogs / gogs

< 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m github.com: https://github.com/gogs/gogs/pull/8332 github.com: https://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31 github.com: https://github.com/gogs/gogs/releases/tag/v0.14.3