CVE-2026-25921NVD

Vulnerability Summary

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Severity Level

CRITICAL(9.3)

Published Date

Mar 5, 2026

Last Modified

Mar 6, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.02%Probability

Root Weakness (CWE)

CWE-345: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityNone

IntegrityHigh

AvailabilityLow

External References

https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
https://github.com/gogs/gogs/pull/8166
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-25921NVD

Vulnerability Summary

External References