CVE-2026-52806
CriticalCVSS 9.9Exploitation Probability (EPSS)
Elevated risk59th percentile — higher than 59% of all known CVEs
Summary
Gogs before version 0.14.3 allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the 'Rebase before merging' merge operation.
Risk Assessment
An attacker can take control of the Gogs server, leading to full data compromise, repository modification, and potential lateral movement to other systems in the network.
Recommendation
Immediately upgrade Gogs to version 0.14.3 or later. If upgrading is not possible, temporarily disable the 'Rebase before merging' feature for all repositories.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

