CVE-2026-52811
CriticalCVSS 9.0Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
Gogs before version 0.14.3 contains a vulnerability due to improper symlink checking during multipart file upload. An attacker with repo-write access can use a filename containing a backslash to write arbitrary data outside the repository, e.g., to authorized_keys or a post-receive hook.
Risk Assessment
The risk includes full server compromise via SSH key injection or remote code execution (RCE) through hook replacement.
Recommendation
Upgrade Gogs to version 0.14.3 or later immediately to fix this vulnerability.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.

