CVE-2026-52797
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result of the comparison to any arbitrary path. This vulnerability is fixed in 0.14.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.0. An authorized user can manipulate the value passed to the git diff command. By bypassing the filtering of this value, the user can escape the intended target directory and write the output of the git diff comparison to any arbitrary file path.

This means that an intruder with authorized access can potentially write files to locations they should not have access to, which can lead to unauthorized modifications on the system.

Impact Analysis

The vulnerability allows an authorized user to write files to arbitrary paths on the system by exploiting the git diff command. This can lead to unauthorized file modifications, potentially causing integrity issues or enabling further attacks.

The CVSS score of 8.5 (High) indicates a significant impact, including the possibility of high availability impact (A:H) and integrity loss (I:L). This could disrupt service availability or compromise the integrity of data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.0 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart