CVE-2026-52797
Deferred Deferred - Pending Action

Gogs Git Diff Command Injection Vulnerability

Vulnerability report for CVE-2026-52797, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.0. An authorized user can manipulate the value passed to the git diff command. By bypassing the filtering of this value, the user can escape the intended target directory and write the output of the git diff comparison to any arbitrary file path.

This means that an intruder with authorized access can potentially write files to locations they should not have access to, which can lead to unauthorized modifications on the system.

Impact Analysis

The vulnerability allows an authorized user to write files to arbitrary paths on the system by exploiting the git diff command. This can lead to unauthorized file modifications, potentially causing integrity issues or enabling further attacks.

The CVSS score of 8.5 (High) indicates a significant impact, including the possibility of high availability impact (A:H) and integrity loss (I:L). This could disrupt service availability or compromise the integrity of data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.0 or later, where the issue has been fixed.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your Gogs instance is running a vulnerable version (0.13.4 or earlier) and by monitoring for unusual or unauthorized usage of the git diff command with manipulated path parameters.

Specifically, detection involves looking for attempts to exploit the path traversal flaw by observing requests that manipulate the `treePath` parameter in the `_preview` method or git diff commands that use the `--output` flag to write to arbitrary paths.

Suggested commands to help detect exploitation attempts include:

  • Check the Gogs version to confirm if it is vulnerable: `gogs --version` or check the installed package version.
  • Monitor git diff commands executed on the server for suspicious `--output` usage, for example, by reviewing shell history or process logs: `ps aux | grep 'git diff'`.
  • Inspect web server or application logs for requests containing unusual `treePath` parameters or attempts to access paths outside the repository directory.
  • Use file integrity monitoring tools to detect unexpected changes to critical files like `gogs.db` or `app.ini`.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart