{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25921", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.785Z", "datePublished": "2026-03-05T18:36:30.692Z", "dateUpdated": "2026-03-06T18:10:49.926Z"}, "containers": {"cna": {"title": "Gogs: Cross-repository LFS object overwrite via missing content hash verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"}, {"name": "https://github.com/gogs/gogs/pull/8166", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8166"}, {"name": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:36:30.692Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."}], "source": {"advisory": "GHSA-cj4v-437j-jq4c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:10:40.475842Z", "id": "CVE-2026-25921", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:10:49.926Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25921", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.785Z", "datePublished": "2026-03-05T18:36:30.692Z", "dateUpdated": "2026-03-06T18:10:49.926Z"}, "containers": {"cna": {"title": "Gogs: Cross-repository LFS object overwrite via missing content hash verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"}, {"name": "https://github.com/gogs/gogs/pull/8166", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8166"}, {"name": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:36:30.692Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."}], "source": {"advisory": "GHSA-cj4v-437j-jq4c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25921", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:10:40.475842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:10:45.647Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9", "versionEndExcluding": "0.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2."}], "id": "CVE-2026-25921", "lastModified": "2026-03-06T14:02:02.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:03.183", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/gogs/gogs/pull/8166"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.14.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "gogs", "source": "cna", "vendor": "gogs"}, "product": "gogs", "vendor": "gogs"}], "analysis": {"en": {"generated_at": "2026-04-16T12:15:08.949879+00:00", "value": {"mitigation_remediation": ["Apply the official Gogs update to version 0.14.2 or later, which restores content hash verification for LFS uploads.", "Immediately revoke or replace any LFS objects in repositories that could have been overwritten, and rebuild affected artifacts from trusted sources.", "Audit repository histories for inadvertent LFS changes and restore from backups or source control if contamination is detected."], "summary": {"action": "Immediate Patch", "impact": "LFS Object Overwrite allows malicious code to be injected across repositories, compromising code integrity."}, "threat_synthesis": {"affected_systems": "The affected product is the Gogs self\u2011hosted Git service, specifically all versions earlier than 0.14.2. Users running any earlier build of Gogs on their own servers are vulnerable. Patches have been released in release 0.14.2 and later. There is no indication that specific operating systems or configuration modes modify the risk, so the entire Gogs customer base prior to the patch is at risk.", "description_and_impact": "Gogs instances prior to version 0.14.2 allow an attacker to overwrite any LFS object in any repository without content hash verification. This vulnerability can be leveraged to replace legitimate large file objects with attacker\u2011controlled binaries or scripts, effectively injecting malicious code into software artifacts. The flaw is a severe code injection vector that undermines confidentiality and integrity of codebases, granting disruptors control over potentially critical assets.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity. EPSS indicates the likelihood of exploitation is very low (<1%), and the vulnerability is not currently catalogued in CISA\u2019s KEV list. The attack vector is inferred to be remote, using the standard LFS upload endpoints exposed by the service. An attacker needs write access to a repository or the ability to submit LFS objects to the server, which is often the case for collaborators or public projects. If such access is available, the attacker can trigger the overwrite by uploading a malicious LFS file with a matching key used by other repositories."}}}}, "created": "2026-03-06T15:01:25.072055+00:00", "updated": "2026-04-16T12:15:35.097301+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}