CVE Catalog

CVE-2026-52810

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorized POST …/git-receive-pack using the client-supplied service query string, allowing push where only read should be allowed.

Risk Assessment

This vulnerability may lead to unauthorized changes in repositories, posing a risk to data integrity and potential security breaches.

Recommendation

It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS