Jia Chen

5 exploits Active since Feb 2026
CVE-2026-52802 WRITEUP MEDIUM WRITEUP
Gogs: Open Redirect via redirect_to in Gogs
Gogs is an open source self-hosted Git service. Prior to 0.14.3, an open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites. All redirects in Gogs that are validated via the IsSameSite function are vulnerable. The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. This vulnerability is fixed in 0.14.3.
CVSS 5.4
CVE-2026-52810 WRITEUP HIGH WRITEUP
Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
CVE-2026-52811 WRITEUP CRITICAL WRITEUP
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.
CVE-2026-52816 WRITEUP MEDIUM WRITEUP
Gogs < 0.14.3 - Unauthenticated Cross-Site Scripting via ipynb Sanitizer
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting (XSS). The endpoint uses bluemonday.UGCPolicy() with p.AllowURLSchemes("data") which permits all data URI schemes including data:text/html, enabling attackers to inject malicious HTML/JavaScript. Additionally, the endpoint has no authentication middleware, allowing any registered user to exploit this vulnerability. This vulnerability is fixed in 0.14.3.
CVE-2026-25120 WRITEUP LOW WRITEUP
Gogs < 0.14.0 - Authorization Bypass via DeleteComment API
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.
CVSS 2.7