Critical Gogs Path Traversal Vulnerability Enables RCE

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Budibase versions prior to 3.39.0. These vulnerabilities affect various components of the platform and include Server-Side Request Forgery (SSRF), authorization bypass, privilege escalation, improper access control, and other security weaknesses that could allow attackers to gain unauthorized access, interact with internal services, manipulate application functionality, or access sensitive information. Successful exploitation could compromise the confidentiality, integrity, and availability of organizational data while enabling unauthorized actions within affected environments. The cumulative impact of these flaws poses a significant risk to organizations relying on vulnerable Budibase deployments, potentially resulting in data exposure, privilege abuse, and disruption of business operations.[emaillocker id="1283"]

• CVE-2026-48146 with a CVSS score of 9.8 – This critical Server-Side Request Forgery (SSRF) vulnerability allows attackers to force the application to make unauthorized requests to internal or external resources, potentially exposing sensitive services and data.
• CVE-2026-48147 with a CVSS score of 8.8 – An authorization weakness could allow attackers to bypass intended security restrictions and perform actions beyond their assigned privileges.
• CVE-2026-48148 with a CVSS score of 8.8 – Improper access control may enable unauthorized access to sensitive application resources or data.
• CVE-2026-48149 with a CVSS score of 8.1 – A security flaw could allow attackers to manipulate application functionality and gain unauthorized advantages within affected environments.
• CVE-2026-48150 with a CVSS score of 8.1 – Insufficient validation mechanisms may permit unauthorized operations that could affect application integrity and security.
• CVE-2026-48151 with a CVSS score of 8.1 – A privilege-related weakness could allow attackers to perform actions outside their intended permission scope.
• CVE-2026-48152 with a CVSS score of 7.5 – An authorization bypass vulnerability allows users to elevate privileges or access functionality that should be restricted, potentially leading to unauthorized administrative actions.
• CVE-2026-48153 with a CVSS score of 7.5 – An access control weakness may expose sensitive information or permit unauthorized interactions with protected resources.

The presence of multiple high and critical severity vulnerabilities significantly increases the risk to affected Budibase environments. Successful exploitation could enable attackers to access sensitive information, abuse elevated privileges, interact with internal services, and compromise application security controls. Organizations should prioritize upgrading to Budibase 3.39.0 or later to mitigate the risk of unauthorized access, data breaches, and operational disruption.

RECOMMENDATION:

• We recommend you to update Gogs to version 0.14.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-c39w-43gm-34h5
https://github.com/advisories/GHSA-6p9m-q3jp-47h4
https://github.com/advisories/GHSA-89mr-xqfv-758m
https://github.com/advisories/GHSA-wmfg-5p4h-5fw3
https://github.com/advisories/GHSA-268j-37xf-pp52
https://github.com/advisories/GHSA-vcm5-gvmp-78mp
https://github.com/advisories/GHSA-qf6p-p7ww-cwr9
https://github.com/advisories/GHSA-g2f5-gjr4-qjvm