CVE-2026-24135

HIGH

Gogs <0.13.3 - Path Traversal

Title source: llm

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24135

View Code ZIP pw:eip

nomisec WRITEUP

by reschjonas · poc

https://github.com/reschjonas/CVE-2026-24135

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2

Scores

CVSS v3 8.1

EPSS 0.0006

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

gogs/gogs < 0.13.4

gogs.io/gogs 0 - 0.13.4Go

Published Feb 06, 2026

Tracked Since Feb 18, 2026