CVE-2026-52796
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to a panic error when rendering a specially crafted issue index pattern, resulting in denial of service.
Risk Assessment
Organizations may experience unavailability of pages in repositories that contain issue index references, which can impact service performance and availability.
Recommendation
It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, specially crafted issue index pattern can cause a panic when rendering, resulting in denial of service. In internal/markup/markup.go, RenderIssueIndexPattern renders the issue index pattern to a link using com.Expand, which is not safe: when the configured pattern contains an opening brace { but no closing brace }, strings.Index(template, "}") returns -1 and the subsequent slice template[:-1] triggers a panic. Once such a pattern is set, any page in the affected repository that contains an issue index reference such as #1 becomes unavailable. This vulnerability is fixed in 0.14.3.

