CVE-2026-52813

Name of the Vulnerable Software and Affected Versions Gogs (affected versions not specified)

Description Gogs fails to sanitize organization names, allowing the use of path traversal sequences (../). This enables the storage and retrieval of repository data at arbitrary locations on the filesystem. An attacker can exploit this by creating a nested structure of Git repositories to overwrite the hooks configuration of another repository. Specifically, by targeting the local worktree directory, an attacker can modify the hooks/update script to include malicious Bash commands. When the hook is triggered, it results in Remote Code Execution (RCE) with the privileges of the git user. The issue occurs because the os.MkdirAll() function in internal/database/org.go is called using the unsanitized org.Name variable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.