CVE-2026-25232 in Gogsالمعلومات

الملخص

بحسب MITRE • 19/02/2026

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

30/01/2026

إفشاء

19/02/2026

الاعتدال

تمت الموافقة

إدخال

VDB-346666

CPE

جاهز

CWE

CWE-863 (مؤكد)

CVSS

8.8 (NVD)

EPSS

0.00016

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-25232
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-25232
CVE Details	https://www.cvedetails.com/cve/CVE-2026-25232/

التالي ▸نظرة عامة ◂ السابق

Interested in the pricing of exploits?

See the underground prices here!