Cyber Posture

CVE-2026-25242

CriticalPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and…

more

/issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations on file upload endpoints like /releases/attachments and /issues/attachments to block unauthenticated arbitrary file uploads.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Defines and prohibits unauthenticated actions such as file uploads, ensuring only explicitly permitted operations occur without identification or authentication.

CM-6 Configuration Settings partial match
prevent

Mandates secure configuration settings like enabling RequireSigninView to require authentication for upload endpoints in Gogs.

Security SummaryAI

CVE-2026-25242 affects Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. The vulnerability stems from unauthenticated file upload endpoints being exposed by default when the global RequireSigninView setting is disabled, which is the default configuration. Specifically, remote users can upload arbitrary files to the server via the /releases/attachments and /issues/attachments endpoints. This issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

Any remote attacker, without authentication, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary file uploads, enabling the Gogs instance to be abused as a public file host. This can lead to disk exhaustion through repeated uploads, unauthorized content hosting, or delivery of malware to other users or visitors.

The issue has been addressed in Gogs version 0.14.1, as detailed in the project's security advisory (GHSA-fc3h-92p8-h36f), release notes, associated pull request (#8128), and fixing commit (628216d5889fcb838c471f4754f09b935d9cd9f3). Administrators should upgrade to version 0.14.1 or later to mitigate the vulnerability, and enabling the RequireSigninView setting may provide partial protection in affected versions, though it is not enabled by default. CSRF tokens do not prevent exploitation due to same-origin cookie issuance.

Details

CWE(s)
CWE-862

Affected Products

gogs
gogs
≤ 0.14.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Unauthenticated arbitrary file upload in public-facing Gogs web application enables exploitation of public-facing app (T1190), ingress tool transfer via upload endpoints (T1105), and endpoint DoS through disk exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References