Threat Advisory

Multiple Vulnerabilities in Gogs Trigger Git Injection, LFS Overwrite and XSS Attacks

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Multiple vulnerabilities were discovered in the Gogs self-hosted Git service. These flaws include improper handling of Git command arguments, insufficient verification of Large File Storage (LFS) objects, and inadequate sanitization of user input in issue comments. An attacker could exploit these weaknesses to manipulate Git operations, overwrite repository objects across different projects, or inject malicious scripts through stored cross-site scripting (XSS). Successful exploitation may compromise repository integrity, enable potential supply-chain attacks, or allow malicious JavaScript execution against users interacting with affected repositories. Updating the Gogs software to the latest patched release resolves these security issues.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Multiple vulnerabilities were discovered in the Gogs self-hosted Git service. These flaws include improper handling of Git command arguments, insufficient verification of Large File Storage (LFS) objects, and inadequate sanitization of user input in issue comments. An attacker could exploit these weaknesses to manipulate Git operations, overwrite repository objects across different projects, or inject malicious scripts through stored cross-site scripting (XSS). Successful exploitation may compromise repository integrity, enable potential supply-chain attacks, or allow malicious JavaScript execution against users interacting with affected repositories. Updating the Gogs software to the latest patched release resolves these security issues.[emaillocker id="1283"]

  • CVE-2026-26194: It is a vulnerability in Gogs allows argument injection into Git commands during release deletion when user-controlled tag names are passed to Git without proper sanitization. This flaw can interfere with Git command execution and potentially enable manipulation of repository operations. The vulnerability has a CVSS score of 8.8.
  • CVE-2026-25921: It is a vulnerability allows cross-repository overwriting of Git LFS objects due to missing content-hash verification. Attackers could maliciously replace stored objects across repositories, creating a potential software supply-chain compromise scenario. The vulnerability has a CVSS score of 9.3.
  • CVE-2026-26022: It is a stored cross-site scripting (XSS) vulnerability exists in the issue comment and description functionality. Because the HTML sanitizer allows data: URI schemes, authenticated users can inject malicious links that execute arbitrary JavaScript when viewed by other users. The vulnerability has a CVSS score of 8.7.

 

RECOMMENDATION:

  • We strongly recommend you update Gogs to version 0.14.2 or later.

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-v9vm-r24h-6rqm
https://github.com/advisories/GHSA-cj4v-437j-jq4c
https://github.com/advisories/GHSA-xrcr-gmf5-2r8j

[/emaillocker]
crossmenu