Threat Advisory Gogs Vulnerabilities Enable Code Execution and Access Abuse Threat: Vulnerability Targeted Region: Global Targeted Sector: Technology & IT Criticality: High EXECUTIVE SUMMARY: Multiple high- and medium-severity security vulnerabilities have been identified in Gogs that collectively expose affected installations to serious risks, including remote code execution, authentication bypass, unauthorized repository modification, arbitrary file deletion, and denial-of-service conditions. The issues stem from insufficient permission checks, flawed authentication logic, unsafe file handling, and incomplete fixes for previously reported flaws. Attackers ranging from unauthenticated users with API access to authenticated users with minimal privileges could exploit these weaknesses to tamper with source code, bypass two-factor authentication, execute commands on the server, or crash the application. The combined impact of these vulnerabilities significantly undermines repository integrity, account security, and service availability, making affected deployments highly exposed if left unpatched. CVE-2025-64111 : This vulnerability has a CVSS score of 9.3 and allows remote code execution by abusing insufficiently patched logic that permits modification of files within the .git directory. By bypassing checks in the UpdateRepoFile function, an attacker can alter the .git/config file via the API, resulting in command execution on the server. CVE-2025-64175 : This issue carries a CVSS score of 7.7 and enables a cross-account two-factor authentication bypass. Recovery codes are not properly scoped to individual users, allowing an attacker with valid credentials to reuse unused recovery codes from another account and fully bypass 2FA protections. CVE-2026-24135 : With a CVSS score of 7.2, this path traversal vulnerability in the wiki update feature allows an authenticated user to delete arbitrary files by manipulating the old_title parameter during rename operations. Although deletion is limited to files ending with .md, the flaw can still lead to denial of service or loss of critical data. CVE-2026-23632 : This vulnerability allows repository modification using a read-only access token due to missing write-permission enforcement on the endpoint. After passing an incorrect permission check, the application creates commits and executes a git push, enabling source code tampering, backdoor injection, and compromise of distributed artifacts. CVE-2026-22592 : This flaw allows an authenticated user to trigger a denial-of-service condition by deleting a repository file prior to synchronization. When synchronization occurs, the application crashes, leading to service disruption. These vulnerabilities collectively weaken repository integrity authentication controls and service stability by allowing attackers to execute code bypass security checks and disrupt availability. Addressing these flaws is critical to prevent unauthorized access source code tampering and denial of service conditions. RECOMMENDATION: We strongly recommend update Gogs to version 0.13.4 and 0.14.0+dev. REFERENCES: The following reports contain further technical details: https://securityonline.info/triple-threat-critical-gogs-flaws-cvss-9-3-allow-rce-2fa-bypass/ https://github.com/advisories/GHSA-5qhx-gwfj-6jqr https://github.com/advisories/GHSA-cr88-6mqm-4g57 Recent Advisories XWiki Vulnerability Hijacks CSS Injection to Craft Illegitimate Link February 13, 2026 Notepad Vulnerability Triggers Arbitrary Code Execution Remotely February 13, 2026 Google Chrome Vulnerabilities Fix Race Condition and UI Spoofing Attacks February 13, 2026 Microsoft Outlook Phishing Campaign Harvesting Account Login Information February 13, 2026 Report an Incident Get 24/7 incident response assistance from our global team Hotline: +917969664500 Email: [email protected]