anonhaven
Ad

CVE-2026-25921

CRITICAL CVSS 3.1: 9.3 EPSS 0.03%
Updated Mar 06, 2026
Gogs
Parameter Value
CVSS 9.3 (CRITICAL)
Affected Versions before 0.14.2
Fixed In 0.14.2
Type CWE-345 (Insufficient Verification of Data)
Vendor Gogs
Public PoC No

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-345 Insufficient Verification of Data

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Gogs Gogs
cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
 0.14.2

References 4

https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
security-advisories@github.com
https://github.com/gogs/gogs/pull/8166
security-advisories@github.com
https://github.com/gogs/gogs/releases/tag/v0.14.2
security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-26276

Gogs

5.4

CVE-2026-26196

Gogs

6.9

CVE-2026-26195

Gogs

6.9

CVE-2026-26194

Gogs

8.8

CVE-2026-26022

Gogs

5.4