CVE-2026-25921

CRITICAL EPSS 24.5%
Published Mar 5, 20263mo ago · Modified Mar 6, 20263mo ago
9.3 CVSS 3.1
Critical
Find Similar
Published Mar 5, 2026 3mo ago
Last Modified Mar 6, 2026 3mo ago

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

CVSS Details

Base Score
9.3
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
24.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-345

Affected Products 1

VendorProductVersionRange
gogsgogs* <0.14.2

References 4

  • github.com https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
    Patch
  • github.com https://github.com/gogs/gogs/pull/8166
    Issue Tracking
  • github.com https://github.com/gogs/gogs/releases/tag/v0.14.2
    Release Notes
  • github.com https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c
    ExploitVendor AdvisoryMitigation

Remediation

  • github.com https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
    Patch