Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

nsamag May 28, 2026
laravel-lang-php-packages-compromised-credential-stealer

What’s new: A critical RCE vulnerability has been disclosed in Gogs, allowing any authenticated user to execute arbitrary code by creating a malicious pull request. The flaw, rated 9.4 on the CVSS, does not have a CVE identifier and remains unpatched as of May 28, 2026.

Who’s affected

All supported platforms of Gogs, including Windows, Linux, and macOS, are impacted. There are approximately 1,141 internet-facing Gogs instances, with many more likely behind VPNs or internal networks.

What to do

  • Restrict user registration by setting DISABLE_REGISTRATION = true in app.ini.
  • Restrict repository creation by setting MAX_CREATION_LIMIT = 0 in app.ini.
  • Audit rebase merge settings to prevent exploitation.

Sources

Related Posts:

More Stories

claude-mythos-ai-10000-high-severity-flaws

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

nsamag May 28, 2026
nsauditor-ai-ee-0-15-3-object-acl-enumeration-boe-short-circuit

NSAuditor AI EE 0.15.3 Closes the 4th and Final S3 Public-Exposure Vector with Object-Level ACL Enumeration and a BucketOwnerEnforced Upstream Short-Circuit

nsamag May 28, 2026
nsauditor-ai-ee-0-15-2-audit-accuracy-calibration-cloudtrail-hardening

NSAuditor AI EE 0.15.x Cumulative — NEW Plugin 1222 Azure Key Vault Deep Auditor (27 → 28), Plus Audit-Accuracy Calibration and CloudTrail Hardening Across 0.15.0, 0.15.1, and 0.15.2

nsamag May 27, 2026

You may have missed

claude-mythos-ai-10000-high-severity-flaws

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

nsamag May 28, 2026
laravel-lang-php-packages-compromised-credential-stealer

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

nsamag May 28, 2026
nsauditor-ai-ee-0-15-3-object-acl-enumeration-boe-short-circuit

NSAuditor AI EE 0.15.3 Closes the 4th and Final S3 Public-Exposure Vector with Object-Level ACL Enumeration and a BucketOwnerEnforced Upstream Short-Circuit

nsamag May 28, 2026
nsauditor-ai-ee-0-15-2-audit-accuracy-calibration-cloudtrail-hardening

NSAuditor AI EE 0.15.x Cumulative — NEW Plugin 1222 Azure Key Vault Deep Auditor (27 → 28), Plus Audit-Accuracy Calibration and CloudTrail Hardening Across 0.15.0, 0.15.1, and 0.15.2

nsamag May 27, 2026
packagist-supply-chain-attack-8-packages-linux-malware

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

nsamag May 27, 2026