{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22592", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.532Z", "datePublished": "2026-02-06T17:42:26.326Z", "dateUpdated": "2026-02-06T18:55:18.874Z"}, "containers": {"cna": {"title": "Gogs is Vulnerable to Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.0+dev", "status": "affected"}, {"version": "< 0.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:42:26.326Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "source": {"advisory": "GHSA-cr88-6mqm-4g57", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T18:55:12.756594Z", "id": "CVE-2026-22592", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:55:18.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22592", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T18:55:12.756594Z"}}}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:55:03.347Z"}}], "cna": {"title": "Gogs is Vulnerable to Denial of Service", "source": {"advisory": "GHSA-cr88-6mqm-4g57", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"status": "affected", "version": "< 0.14.0+dev"}, {"status": "affected", "version": "< 0.13.4"}]}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57", "name": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:42:26.326Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22592", "state": "PUBLISHED", "dateUpdated": "2026-02-06T18:55:18.874Z", "dateReserved": "2026-01-07T21:50:39.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T17:42:26.326Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "674F0DE0-7669-4B02-B45E-DD60FB5D462F", "versionEndExcluding": "0.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "id": "CVE-2026-22592", "lastModified": "2026-02-17T21:40:59.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T18:15:56.357", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:23:41.334793+00:00", "value": {"mitigation_remediation": ["Upgrade Gogs to 0.13.4 or later (including 0.14.0+dev).", "If an upgrade cannot be performed immediately, restrict deletion of repository files or temporarily disable synchronization until the update is applied.", "Configure file\u2011system permissions to prevent users from deleting repository files that are not already scheduled for removal, thereby reducing the chance of a crash."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Gogs self-hosted Git service for all installations running version 0.13.3 or earlier. The issue has been fixed in 0.13.4 and in subsequent development builds 0.14.0+.", "description_and_impact": "A flaw in the Gogs source-code Git service allows a user with authentication to terminate the application by deleting a repository file before the system synchronizes it. The bug triggers an internal crash, disrupting the availability of the service for all users. The weakness is categorized as a missing authorization flaw (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. The EPSS value of less than 1% suggests a low probability of exploitation. Because the attack requires an authenticated user with write access to a repository, the threat surface is limited primarily to insiders or compromised accounts, and it is not currently listed in the CISA KEV catalog."}}}}, "created": "2026-02-09T10:49:58.130110+00:00", "updated": "2026-04-18T18:30:07.285631+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}