CVE-2026-52806

Summary

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the –exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

Affected Software

VendorProductVersion RangeStatus
gogsgogs< 0.14.3affected

Weaknesses

  • CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References