Security

Report a vulnerability

SECURITY.md

Security policy

Supported versions

Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes.

Existing vulnerability reports are being tracked in GitHub Security Advisories.

Vulnerability lifecycle

Important

Starting Nov 9, 2023 00:00 UTC, only security vulnerabilities reported through GitHub Security Advisories are accepted. Pre-existing vulnerability reported through https://huntr.dev/ or email (security@gogs.io) will continue to be worked through.

Report a vulnerability
Project maintainers review the report and either:
- Ask clarifying questions
- Confirm or deny the vulnerability
Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower.
Patch releases will be made for the supported versions.
Publish the report on GitHub Security Advisories.

Thank you!

OS Command Injection in repo editor on case-insensitive file systems
GHSA-pfvh-p8qp-9ww9 published Feb 25, 2023 by unknwon

Critical
Stored XSS Assignee
GHSA-3ghq-jqx4-4c4f published Feb 25, 2023 by unknwon

Critical
Path Traversal in Git HTTP endpoints
GHSA-6vcc-v9vw-g2x5 published Jun 8, 2022 by unknwon

High
Path Traversal in file editor on Windows
GHSA-994f-7g86-qr56 published Jun 8, 2022 by unknwon

Critical
XSS vulnerability in repository issue list
GHSA-xq4v-vrp9-vcf2 published Jun 8, 2022 by unknwon

Moderate
OS Command Injection in file editor
GHSA-67mx-jc2f-jgjm published Jun 8, 2022 by unknwon

Critical
Remote Command Execution in file editing
GHSA-56j7-2pm8-rgmx published May 31, 2022 by unknwon

Critical
OS Command Injection in file uploading
GHSA-958j-443g-7mm7 published May 31, 2022 by unknwon

Critical
XSS in cookies
GHSA-pj96-4jhv-v792 published May 31, 2022 by unknwon

Low
SSRF in webhook
GHSA-w689-557m-2cvq published May 31, 2022 by unknwon

High

Learn more about advisories related to gogs/gogs in the GitHub Advisory Database