Affected by GO-2022-0369 and 19 other vulnerabilities

GO-2022-0369: Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs

GO-2022-0377: SSRF in repository migration in gogs.io/gogs

GO-2022-0471: OS Command Injection in gogs in gogs.io/gogs

GO-2022-0473: Cross site scripting via cookies in gogs in gogs.io/gogs

GO-2022-0483: Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs

GO-2022-0554: Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs

GO-2022-0556: OS Command Injection in file editor in Gogs in gogs.io/gogs

GO-2022-0562: Path Traversal in Git HTTP endpoints in Gogs in gogs.io/gogs

GO-2022-0566: SSRF in repository migration in gogs.io/gogs

GO-2022-0570: Path Traversal in file editor on Windows in Gogs in gogs.io/gogs

GO-2022-0583: Server-Side Request Forgery in gogs webhook in gogs.io/gogs

GO-2022-0597: Cross-site Scripting in Gogs in gogs.io/gogs

GO-2022-0749: OS Command Injection in gogs in gogs.io/gogs

GO-2022-1060: Gogs vulnerable to Cross-site Scripting in gogs.io/gogs

GO-2023-1596: Gogs OS Command Injection vulnerability in gogs.io/gogs

GO-2024-3275: Unpatched Remote Code Execution in Gogs in gogs.io/gogs

GO-2024-3355: Remote Command Execution in file editing in gogs in gogs.io/gogs

GO-2024-3356: Path Traversal in file update API in gogs in gogs.io/gogs

GO-2025-3776: Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs

GO-2025-3778: Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs

internal/

Details

Path	Synopsis
app
assets
conf
templates
auth
github
ldap Package ldap provide functions & structure to query a LDAP ldap directory For now, it's mainly tested again an MS Active Directory service, see README.md for more information	Package ldap provide functions & structure to query a LDAP ldap directory For now, it's mainly tested again an MS Active Directory service, see README.md for more information
pam
authutil
avatar
cmd
conf
context
cron
cryptoutil
db FIXME: Put this file into its own package and separate into different files based on login sources.	FIXME: Put this file into its own package and separate into different files based on login sources.
errors
migrations
dbutil
email
errutil
form
gitutil
httplib
lazyregexp Package lazyregexp is a thin wrapper over regexp, allowing the use of global regexp variables without forcing them to be compiled at init.	Package lazyregexp is a thin wrapper over regexp, allowing the use of global regexp variables without forcing them to be compiled at init.
lfsutil
markup
mocks
netutil
osutil
pathutil
process
route
admin
api/v1
api/v1/admin
api/v1/convert
api/v1/misc
api/v1/org
api/v1/repo
api/v1/user
dev
lfs
org
repo
user
semverutil
ssh
strutil
sync
template
highlight
testutil
tool