THE open-source self-hosted Git service Gogs has a critical zero-day vulnerability, rated 9.4 on the CVSS scale, allowing remote code execution (RCE) via authenticated attackers exploiting an argument injection flaw through malicious pull requests. The flaw enables attackers with write access to run commands as the Gogs server process, potentially compromising all repositories on the server and accessing sensitive data.
The vulnerability affects Gogs servers running default configurations on Windows, Linux, and macOS. Despite being reported to Gogs maintainers in mid-March, no patch has been issued. This is the second zero-day vulnerability disclosed for Gogs in the last six months.