CVE-2026-25229

MEDIUM EPSS 16.7%
Published Feb 19, 20264mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Feb 19, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
16.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-284

Affected Products 1

VendorProductVersionRange
gogsgogs* <0.14.1

References 2

  • github.com https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2
    Patch
  • github.com https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2
    Patch