{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23633", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-02-06T17:46:59.683Z", "dateUpdated": "2026-02-06T18:53:26.328Z"}, "containers": {"cna": {"title": "Gogs has arbitrary file read/write via path traversal in Git hook editing", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.0+dev", "status": "affected"}, {"version": "< 0.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:46:59.683Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "source": {"advisory": "GHSA-mrph-w4hh-gx3g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T18:53:18.442069Z", "id": "CVE-2026-23633", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:53:26.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T18:53:18.442069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:53:20.945Z"}}], "cna": {"title": "Gogs has arbitrary file read/write via path traversal in Git hook editing", "source": {"advisory": "GHSA-mrph-w4hh-gx3g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"status": "affected", "version": "< 0.14.0+dev"}, {"status": "affected", "version": "< 0.13.4"}]}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g", "name": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:46:59.683Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23633", "state": "PUBLISHED", "dateUpdated": "2026-02-06T18:53:26.328Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T17:46:59.683Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "674F0DE0-7669-4B02-B45E-DD60FB5D462F", "versionEndExcluding": "0.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}], "id": "CVE-2026-23633", "lastModified": "2026-02-17T21:54:40.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T18:15:56.727", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:33:14.779816+00:00", "value": {"mitigation_remediation": ["Ensure Gogs is updated to version 0.13.4 or later, which contains the patch for the path traversal flaw.", "If an immediate upgrade is not possible, restrict the ability to edit Git hooks to trusted administrators only and disable the hook editing feature for all other users in the web configuration.", "Apply stricter file permissions on the hook directory, preventing write access to sensitive system locations, and monitor for any anomalous file modifications to detect potential abuse."], "summary": {"action": "Patch", "impact": "Arbitrary File Read/Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "The CVE affects the open source Gogs self\u2011hosted Git service, specifically versions 0.13.3 and earlier. The issue has been addressed in version 0.13.4 and all subsequent releases, including 0.14.0 and later development builds. Systems running the vulnerable branches should be notified of the need to upgrade.", "description_and_impact": "The vulnerability in Gogs occurs when editing Git hook files, allowing an attacker to use directory traversal characters to read or write files anywhere on the host. This results in the ability to access sensitive configuration files, credentials, or to alter executable hook scripts, potentially leading to broader compromise of the system. The weakness is a classic path traversal flaw (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity, while the EPSS score is reported as less than 1\u202f%, suggesting a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface while editing Git hooks, enabling a remote authenticated user to inject traversal sequences and manipulate files outside the repository. If an attacker gains the necessary permissions, the impact can be significant, but the low exploitation likelihood and absence from KEV mitigate immediate threat concerns."}}}}, "created": "2026-02-09T10:50:04.181910+00:00", "updated": "2026-04-18T13:45:45.667426+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}