CVE-2026-52801

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Affected products

gogs / gogs< 0.14.3 – < 0.14.3

References

VENDOR_ADVISORYhttps://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5
PATCHhttps://github.com/gogs/gogs/pull/8225
PATCHhttps://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c
PATCHhttps://github.com/gogs/gogs/releases/tag/v0.14.3