CVE-2026-24135

HIGH

Gogs < 0.13.4 - Authenticated Path Traversal via Wiki Update old_title Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-24135. PoCs published by XiaomingX, reschjonas.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24135

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by reschjonas · poc

https://github.com/reschjonas/CVE-2026-24135

View Code ZIP pw:eip

This repository contains a detailed writeup for CVE-2026-24135, an arbitrary file deletion vulnerability in Gogs via wiki path traversal. The vulnerability allows authenticated users with wiki write access to delete arbitrary files on the server by injecting path traversal sequences into the `old_title` parameter.

Classification

Writeup 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Gogs <= 0.13.3

Auth required

Prerequisites: Authenticated user with wiki write access

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2

Scores

CVSS v3 8.1

EPSS 0.0007

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

gogs/gogs < 0.13.4

gogs.io/gogs 0 - 0.13.4Go

Published Feb 06, 2026

Tracked Since Feb 18, 2026