A trio of critical Gogs vulnerabilities has been disclosed, with CVSS 9.3 for CVE-2025-64111 marking the highest risk and exposing installations to remote code execution by tampering with the repository’s configuration files. According to the advisory, an insufficient patch allowed updates to files in the .git directory via the API, turning a normal repository update into a system compromise.
The second flaw, CVE-2025-64175 (CVSS 7.7), undermines authentication by permitting an attacker who knows a victim’s username and password to use any unused recovery code to bypass 2FA, creating a cross-account bypass that can lead to full account takeover. The third issue, CVE-2026-24135 (CVSS 7.2), is a path traversal vulnerability in the wiki update feature that can let an authenticated user delete arbitrary server files by manipulating the old_title parameter during a rename operation. The maintainers have addressed these issues in versions 0.13.4 and 0.14.0+dev, and administrators are urged to upgrade promptly.