CVE-2026-22592

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions prior to 0.14.0+dev

Description Gogs is a self-hosted Git service susceptible to a denial-of-service (DOS) attack. An authenticated user can trigger a crash by initiating a mirror synchronization on a repository and then deleting the repository before the synchronization completes. Specifically, the issue occurs when the GetMirrorByRepoID function fails, leading to a null pointer dereference. The vulnerable code is located in internal/database/mirror.go lines 333-337 and 269-278. A proof-of-concept (PoC) involves repeatedly triggering mirror synchronization via the /superuser/gobypass403/settings API endpoint using the action parameter set to 'mirror-sync' while simultaneously deleting the repository.

Recommendations Versions prior to 0.13.4 should be updated to version 0.13.4 or later. Versions prior to 0.14.0+dev should be updated to version 0.14.0+dev or later.