CVE-2026-24135

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions 0.13.0 through 0.13.3

Description Gogs is a self-hosted Git service. A path traversal issue exists in the updateWikiPage function. An authenticated user with write access to a repository's wiki can delete arbitrary files on the server by manipulating the old title parameter in the wiki editing form. The vulnerability is located in internal/database/wiki.go, where the old title parameter is used in file operations without proper sanitization. Specifically, the os.Remove function, combined with path.Join, can be exploited by providing a path traversal sequence in the old title parameter, potentially leading to the deletion of files ending with the '.md' extension. This could result in denial of service or data loss. The vulnerable code snippet is: os.Remove(path.Join(localPath, oldTitle+".md")).

Recommendations Gogs versions prior to 0.13.4: Sanitize the old title parameter using ToWikiPageName (or path.Clean and basename validation) before using it in file operations, similar to how the new title is currently handled. As a temporary workaround, restrict write access to the wiki to minimize the risk of exploitation.