CVE-2026-24135
Gogs vulnerable to arbitrary file deletion via path traversal in wiki page update
In short
Gogs allows authenticated users with wiki write access to delete arbitrary files on the server by manipulating file paths in wiki page updates. This can lead to critical system damage or data loss.
Technical detail
A path traversal vulnerability in the updateWikiPage function allows authenticated attackers with repository wiki write permissions to delete arbitrary files by exploiting the old_title parameter. The vulnerability requires valid repository access but enables unrestricted file deletion through directory traversal techniques, affecting system integrity and availability.
Summary generated and translated by AI from the official description.
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
gogs · gogsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →