CVE-2025-64111

CRITICAL

Gogs < 0.13.4 - OS Command Injection

Title source: rule

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Exploits (1)

github WORKING POC

by Acczdy · pythonpoc

https://github.com/Acczdy/CVE-Vault/tree/master/CVE-2025-64111

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp

Scores

CVSS v3 9.8

EPSS 0.0023

EPSS Percentile 45.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

gogs/gogs < 0.13.4

gogs.io/gogs 0 - 0.13.4Go

Published Feb 06, 2026

Tracked Since Feb 18, 2026