CVE-2026-52813

CRITICAL EXPLOITED

Gogs: Path Traversal in organization name results in RCE through Git hooks

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-52813 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including thecodeb0ss.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-52813, which leverages a path traversal vulnerability in Gogs' organization name handling to achieve remote code execution (RCE) via malicious Git hooks. The exploit automates the process of logging in, creating a malicious organization, and pushing a repository with a malicious hook to execute arbitrary commands.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.

Exploits (1)

github WORKING POC
by thecodeb0ss · poc
https://github.com/thecodeb0ss/CVE-2026-52813

This repository contains a functional exploit for CVE-2026-52813, which leverages a path traversal vulnerability in Gogs' organization name handling to achieve remote code execution (RCE) via malicious Git hooks. The exploit automates the process of logging in, creating a malicious organization, and pushing a repository with a malicious hook to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gogs (version not specified)
Auth required
Prerequisites: valid credentials for a Gogs instance · network access to the target Gogs server
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 10.0
EPSS 0.0111
EPSS Percentile 61.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-06-26
CWE
CWE-23
Status published
Products (1)
gogs/gogs < 0.14.3
Published Jun 24, 2026
Tracked Since Jun 25, 2026