CVE-2026-25921

EUVD-2026-9850
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
gogsgogs
𝑥
< 0.14.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
https://github.com/gogs/gogs/pull/8166
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c