CVE-2026-47267

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

gogs / gogs< 0.14.3 – < 0.14.3

References

VENDOR_ADVISORYhttps://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g
PATCHhttps://github.com/gogs/gogs/pull/8263
PATCHhttps://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018