{"package":"gogs.io/gogs","ecosystem":"go","latest_version":"v0.13.3","description":"","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/gogs.io/gogs","repository":"","downloads_weekly":0,"health":{"score":25,"risk":"critical","breakdown":{"maintenance":10,"popularity":0,"security":0,"maturity":15,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":42,"critical":2,"high":8,"medium":10,"low":22,"details":[{"vuln_id":"GO-2026-4454","severity":"high","summary":"Gogs vulnerable to Stored XSS via Mermaid diagrams","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T19:44:14Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-25232","severity":"high","summary":"Gogs has a Protected Branch Deletion Bypass in Web Interface","affected_versions":"<0.14.1","fixed_version":"0.14.1","source":"osv","published_at":"2026-02-17T18:43:00Z","in_kev":false,"epss_prob":0.00016,"epss_percentile":0.03831,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-23632","severity":"medium","summary":" Gogs user can update repository content with read-only permission","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T18:10:05Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.0519,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25921","severity":"critical","summary":"Gogs: Cross-repository LFS object overwrite via missing content hash verification","affected_versions":"<0.14.2","fixed_version":"0.14.2","source":"osv","published_at":"2026-03-05T19:14:41Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09693,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-22592","severity":"medium","summary":"Gogs has a Denial of Service issue","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T18:08:16Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.05165,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25229","severity":"medium","summary":"Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs","affected_versions":"<0.14.0","fixed_version":"0.14.0","source":"osv","published_at":"2026-02-17T18:42:08Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.13275,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25242","severity":"medium","summary":"Unauthenticated File Upload in Gogs","affected_versions":"<0.14.1","fixed_version":"0.14.1","source":"osv","published_at":"2026-02-17T18:44:07Z","in_kev":false,"epss_prob":0.001,"epss_percentile":0.27342,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-64111","severity":"critical","summary":"Gogs's update .git/config file allows remote command execution","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T17:49:27Z","in_kev":false,"epss_prob":0.0023,"epss_percentile":0.45653,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25120","severity":"medium","summary":"Gogs Allows Cross-Repository Comment Deletion via DeleteComment","affected_versions":"<0.14.0","fixed_version":"0.14.0","source":"osv","published_at":"2026-02-17T18:40:44Z","in_kev":false,"epss_prob":0.00017,"epss_percentile":0.04106,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24135","severity":"high","summary":"Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T18:16:25Z","in_kev":false,"epss_prob":0.00064,"epss_percentile":0.19622,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8110","severity":"high","summary":"Gogs vulnerable to a bypass of CVE-2024-55947","affected_versions":"<=0.13.3","fixed_version":null,"source":"osv","published_at":"2025-12-10T15:31:24Z","in_kev":true,"kev_date_added":"2026-01-12","kev_ransomware":"Unknown","epss_prob":0.21396,"epss_percentile":0.95717,"threat_tier":"actively_exploited"},{"vuln_id":"CVE-2026-23633","severity":"medium","summary":"Gogs has arbitrary file read/write via Path Traversal in Git hook editing","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T18:14:51Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08961,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-64175","severity":"high","summary":"Gogs Vulnerable to  2FA Bypass via Recovery Code","affected_versions":">=0.11.19,<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T17:54:52Z","in_kev":false,"epss_prob":0.00022,"epss_percentile":0.06218,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-65852","severity":"medium","summary":"Gogs has authorization bypass in repository deletion API","affected_versions":"<0.13.4","fixed_version":"0.13.4","source":"osv","published_at":"2026-02-06T19:47:26Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-26194","severity":"high","summary":"Gogs: Release tag option injection in release deletion","affected_versions":"<0.14.2","fixed_version":"0.14.2","source":"osv","published_at":"2026-03-05T19:29:44Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.134,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26276","severity":"high","summary":"Gogs: DOM-based XSS via milestone selection","affected_versions":"<=0.13.3","fixed_version":null,"source":"osv","published_at":"2026-03-05T20:16:20Z","in_kev":false,"epss_prob":0.00035,"epss_percentile":0.10078,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26195","severity":"medium","summary":"Gogs: Stored XSS in branch and wiki views through author and committer names","affected_versions":"<=0.13.3","fixed_version":null,"source":"osv","published_at":"2026-03-05T19:48:33Z","in_kev":false,"epss_prob":0.00035,"epss_percentile":0.10172,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26196","severity":"medium","summary":"Gogs: Access tokens get exposed through URL params in API requests","affected_versions":"<=0.13.3","fixed_version":null,"source":"osv","published_at":"2026-03-05T19:50:35Z","in_kev":false,"epss_prob":0.00043,"epss_percentile":0.13005,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47943","severity":"medium","summary":"Gogs XSS allowed by stored call in PDF renderer","affected_versions":"<0.13.3-0.20250608224432-110117b2e5e5|<0.13.3-0.20250608224432-110117b2e5e5","fixed_version":"0.13.3-0.20250608224432-110117b2e5e5","source":"osv","published_at":"2025-06-26T16:54:01Z","in_kev":false,"epss_prob":0.00253,"epss_percentile":0.48626,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26022","severity":"high","summary":"Gogs: Stored XSS via data URI in issue comments","affected_versions":"<0.14.2","fixed_version":"0.14.2","source":"osv","published_at":"2026-03-05T19:26:02Z","in_kev":false,"epss_prob":0.00015,"epss_percentile":0.03213,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-32174","severity":"unknown","summary":"Gogs vulnerable to Cross-site Scripting in gogs.io/gogs","affected_versions":">=0.6.5","fixed_version":null,"source":"osv","published_at":"2024-08-21T16:03:24Z","in_kev":false,"epss_prob":0.02795,"epss_percentile":0.86139,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-44625","severity":"unknown","summary":"Unpatched Remote Code Execution in Gogs in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-11-19T17:20:31Z","in_kev":false,"epss_prob":0.75122,"epss_percentile":0.98888,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2025-47943","severity":"unknown","summary":"Gogs XSS allowed by stored call in PDF renderer in gogs.io/gogs","affected_versions":"<0.13.3-0.20250608224432-110117b2e5e5","fixed_version":"0.13.3-0.20250608224432-110117b2e5e5","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00253,"epss_percentile":0.48626,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8110","severity":"unknown","summary":"Gogs vulnerable to a bypass of CVE-2024-55947 in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2025-12-15T20:15:46Z","in_kev":true,"kev_date_added":"2026-01-12","kev_ransomware":"Unknown","epss_prob":0.21396,"epss_percentile":0.95717,"threat_tier":"actively_exploited"},{"vuln_id":"CVE-2025-64111","severity":"unknown","summary":"Gogs's update .git/config file allows remote command execution in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.0023,"epss_percentile":0.45653,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-64175","severity":"unknown","summary":"Gogs Vulnerable to 2FA Bypass via Recovery Code in gogs.io/gogs","affected_versions":">=0.11.19","fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.00022,"epss_percentile":0.06218,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-23632","severity":"unknown","summary":"Gogs user can update repository content with read-only permission in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.0519,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-22592","severity":"unknown","summary":"Gogs has a Denial of Service issue in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.05165,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24135","severity":"unknown","summary":"Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.00064,"epss_percentile":0.19622,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-23633","severity":"unknown","summary":"Gogs has arbitrary file read/write via Path Traversal in Git hook editing in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08961,"threat_tier":"theoretical"},{"vuln_id":"GHSA-26gq-grmh-6xm6","severity":"unknown","summary":"Gogs vulnerable to Stored XSS via Mermaid diagrams in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-65852","severity":"unknown","summary":"Gogs has authorization bypass in repository deletion API in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-17T18:09:06Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-25232","severity":"unknown","summary":"Gogs has a Protected Branch Deletion Bypass in Web Interface in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00016,"epss_percentile":0.03831,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25229","severity":"unknown","summary":"Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.13275,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25242","severity":"unknown","summary":"Unauthenticated File Upload in Gogs in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.001,"epss_percentile":0.27342,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25120","severity":"unknown","summary":"Gogs Allows Cross-Repository Comment Deletion via DeleteComment in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00017,"epss_percentile":0.04106,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25921","severity":"unknown","summary":"Gogs: Cross-repository LFS object overwrite via missing content hash verification in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09693,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26194","severity":"unknown","summary":"Gogs: Release tag option injection in release deletion in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.134,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26195","severity":"unknown","summary":"Gogs: Stored XSS in branch and wiki views through author and committer names in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00035,"epss_percentile":0.10172,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26196","severity":"unknown","summary":"Gogs: Access tokens get exposed through URL params in API requests in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00043,"epss_percentile":0.13005,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26022","severity":"unknown","summary":"Gogs: Stored XSS via data URI in issue comments in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00015,"epss_percentile":0.03213,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-26276","severity":"unknown","summary":"Gogs: DOM-based XSS via milestone selection in gogs.io/gogs","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:10Z","in_kev":false,"epss_prob":0.00035,"epss_percentile":0.10078,"threat_tier":"theoretical"}],"actively_exploited_count":2,"likely_exploited_count":1},"versions":{"latest":"v0.13.3","total_count":80,"recent":["v0.9.48","v0.12.7","v0.9.97","v0.7.6","v0.13.0","v0.13.3-rc.1","v0.12.10-rc.1","v0.5.9","v0.11.43","v0.9.141","v0.7.19","v0.12.4","v0.11.33","v0.11.34","v0.2.0","v0.12.9-rc.1","v0.9.71","v0.4.2","v0.12.1","v0.12.9"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2025-06-08T22:55:56Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Low health score (25/100)","8 high severity vulnerabilities","2 critical vulnerabilities"],"use_version":"v0.13.3","version_hint":"Update to >= 0.13.3-0.20250608224432-110117b2e5e5 to fix known vulnerabilities","summary":"gogs.io/gogs has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":1,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":324,"avg_days_between_releases":null,"release_velocity":"moderate"}}