Affected by GO-2022-0369 and 25 other vulnerabilities

GO-2022-0369: Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs

GO-2022-0377: SSRF in repository migration in gogs.io/gogs

GO-2022-0471: OS Command Injection in gogs in gogs.io/gogs

GO-2022-0473: Cross site scripting via cookies in gogs in gogs.io/gogs

GO-2022-0483: Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs

GO-2022-0554: Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs

GO-2022-0556: OS Command Injection in file editor in Gogs in gogs.io/gogs

GO-2022-0562: Path Traversal in Git HTTP endpoints in Gogs in gogs.io/gogs

GO-2022-0566: SSRF in repository migration in gogs.io/gogs

GO-2022-0570: Path Traversal in file editor on Windows in Gogs in gogs.io/gogs

GO-2022-0583: Server-Side Request Forgery in gogs webhook in gogs.io/gogs

GO-2022-0597: Cross-site Scripting in Gogs in gogs.io/gogs

GO-2022-0642: Cross-site Scripting in Gogs in gogs.io/gogs

GO-2022-0749: OS Command Injection in gogs in gogs.io/gogs

GO-2022-0788: Insecure Permissions in Gogs in gogs.io/gogs

GO-2022-0797: Insecure Permissions in Gogs in gogs.io/gogs

GO-2022-0822: Open Redirect in gogs.io/gogs

GO-2022-0831: SQL Injection in Gogs in gogs.io/gogs

GO-2023-1596: Gogs OS Command Injection vulnerability in gogs.io/gogs

GO-2023-1971: Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea

GO-2023-1972: Gogs XSS Vulnerability in gogs.io/gogs

GO-2024-3275: Unpatched Remote Code Execution in Gogs in gogs.io/gogs

GO-2024-3355: Remote Command Execution in file editing in gogs in gogs.io/gogs

GO-2024-3356: Path Traversal in file update API in gogs in gogs.io/gogs

GO-2025-3776: Gogs allows deletion of internal files which leads to remote command execution in gogs.io/gogs

GO-2025-3778: Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs

modules/

Details

Path	Synopsis
auth
apiv1
ldap package ldap provide functions & structure to query a LDAP ldap directory For now, it's mainly tested again an MS Active Directory service, see README.md for more information	package ldap provide functions & structure to query a LDAP ldap directory For now, it's mainly tested again an MS Active Directory service, see README.md for more information
avatar It is recommend to use this way cacheDir := "./cache" defaultImg := "./default.jpg" http.Handle("/avatar/", avatar.CacheServer(cacheDir, defaultImg))	It is recommend to use this way cacheDir := "./cache" defaultImg := "./default.jpg" http.Handle("/avatar/", avatar.CacheServer(cacheDir, defaultImg))
base
bin
cron
hooks
httplib
log Package log is a wrapper of logs for short calling name.	Package log is a wrapper of logs for short calling name.
mailer
middleware foked from https://github.com/martini-contrib/render/blob/master/render.go	foked from https://github.com/martini-contrib/render/blob/master/render.go
binding
setting
social
workers