CVE-2026-25242

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.1 Gogs versions 0.13.4 and below

Description Gogs, an open-source self-hosted Git service, allows unauthenticated file uploads by default. When the RequireSigninView setting is disabled (which is the default configuration), any remote user can upload arbitrary files to the server through the /releases/attachments and /issues/attachments API endpoints. This can lead to the Gogs instance being misused as a public file host, potentially resulting in disk exhaustion, hosting of unwanted content, or the delivery of malware. The issue stems from the UploadIssueAttachment() and UploadReleaseAttachment() functions. While CSRF protection is enabled, attackers can bypass it by obtaining a valid token anonymously. Exploitation involves sending a POST request to the vulnerable endpoints with a valid CSRF token and the file to be uploaded. This allows attackers to store arbitrary content on the server, potentially leading to denial-of-service conditions or malware distribution.

Recommendations Versions prior to 0.14.1 should be updated to version 0.14.1 or later. Versions 0.13.4 and below should be updated to version 0.14.1 or later.