CVE-2024-39933

HIGH

Gogs through 0.13.0 allows argument injection during the tagging of a new release.

CVSS v3.1 Score

7.7
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
NETWORK
Complexity
LOW
Privileges
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Published: 7/4/2024Modified: 4/10/2025

Related Intelligence (1)

CRITICALData Breach

Authenticated RCE via Argument Injection in Gogs (NOT FIXED)

Overview Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into g

CVE-2024-39933CVE-2024-39932
Rapid7

References (4)

https://github.com/gogs/gogs/releasesRelease Noteshttps://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/ExploitMitigationhttps://github.com/gogs/gogs/releasesRelease Noteshttps://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/ExploitMitigation