CVE Catalog

CVE-2026-52806

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.03%

59th percentile — higher than 59% of all known CVEs

Summary

Gogs before version 0.14.3 allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the 'Rebase before merging' merge operation.

Risk Assessment

An attacker can take control of the Gogs server, leading to full data compromise, repository modification, and potential lateral movement to other systems in the network.

Recommendation

Immediately upgrade Gogs to version 0.14.3 or later. If upgrading is not possible, temporarily disable the 'Rebase before merging' feature for all repositories.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS