{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52811", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-08T18:11:06.659Z", "datePublished": "2026-06-24T20:31:38.233Z", "dateUpdated": "2026-06-24T20:31:38.233Z"}, "containers": {"cna": {"title": "Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m"}, {"name": "https://github.com/gogs/gogs/pull/8332", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8332"}, {"name": "https://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-24T20:31:38.233Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component \u2014 UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write \u2014 ~git/.ssh/authorized_keys \u2192 SSH foothold, or <repo>.git/hooks/post-receive \u2192 next-push RCE. This vulnerability is fixed in 0.14.3."}], "source": {"advisory": "GHSA-89mr-xqfv-758m", "discovery": "UNKNOWN"}}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.14.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "gogs", "source": "cna", "vendor": "gogs"}, "product": "gogs", "vendor": "gogs"}], "created": "2026-06-24T22:45:15.369909+00:00", "updated": "2026-06-25T05:15:03.327153+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}