CVE-2026-52813
CRITICAL EXPLOITEDGogs: Path Traversal in organization name results in RCE through Git hooks
Title source: cnaExploitation Summary
CVE-2026-52813 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including thecodeb0ss.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-52813, which leverages a path traversal vulnerability in Gogs' organization name handling to achieve remote code execution (RCE) via malicious Git hooks. The exploit automates the process of logging in, creating a malicious organization, and pushing a repository with a malicious hook to execute arbitrary commands.
Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Exploits (1)
This repository contains a functional exploit for CVE-2026-52813, which leverages a path traversal vulnerability in Gogs' organization name handling to achieve remote code execution (RCE) via malicious Git hooks. The exploit automates the process of logging in, creating a malicious organization, and pushing a repository with a malicious hook to execute arbitrary commands.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H