CVE-2026-23633

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions prior to 0.14.0

Description Gogs, an open source self-hosted Git service, contains a flaw that allows for arbitrary file read and write operations through path traversal in the Git hook editing functionality. The issue stems from insufficient path sanitization when handling the :name parameter in the /username/reponame/settings/hooks/git/:name API endpoint. The parameter is URL-decoded and directly used in constructing file paths, enabling attackers to utilize ../ sequences to access files outside the intended repository. Successful exploitation requires the attacker to be an authenticated user with Admin or higher privileges on the target repository, possessing the AllowGitHook permission or being a site administrator, and the target file must be readable/writable by the Gogs process OS permissions. This can lead to sensitive information disclosure, configuration tampering, and potentially further compromise through the extraction of credentials. The vulnerability allows for Local File Inclusion via GET requests and Arbitrary File Write via POST requests.

Recommendations Gogs versions prior to 0.13.4: Upgrade to version 0.13.4 or later. Gogs versions prior to 0.14.0: Upgrade to version 0.14.0 or later.