CVE-2026-25120

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below

Description Gogs, a self-hosted Git service, has an issue where the DeleteComment API does not properly verify if a comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by providing arbitrary comment IDs, effectively bypassing authorization controls. The DeleteComment function retrieves a comment by ID without validating repository ownership, and the Database function DeleteCommentByID does not perform repository validation. The vulnerable API endpoint is /owner/repo/issues/comments/:id/delete. The vulnerable parameter is :id, representing the comment ID.

Recommendations Update to version 0.14.0 or later to resolve this issue.