SECURITYTHE REGISTER
No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out
A critical remote code execution (RCE) vulnerability in Gogs, a self-hosted Git service, remains unpatched despite being reported in March. The flaw allows authenticated users to exploit default installations, steal credentials, and execute arbitrary code. Rapid7 researcher Jonah Burgess disclosed the issue (GHSA-qf6p-p7ww-cwr9) and submitted a proposed fix, but Gogs maintainers have not released a patch, prompting a Metasploit module to be published.
Mentioned
Related Signal
Adjacent reporting
- Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
- Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
- Hackers exploit critical flaw in Ninja Forms WordPress plugin
- GitHub fixes RCE flaw that gave access to millions of private repos
- Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk
- 13-year-old bug in ActiveMQ lets hackers remotely execute commands