Gogs Zero-Day Exposes Servers to Remote Code Execution

The critical-severity issue, assigned a CVSS score of 9.4, is an argument injection flaw that can be exploited by authenticated attackers via pull requests with malicious branch names. The post Gogs Zero-Day Exposes Servers to Remote Code Execution appeared first on SecurityWeek .

The article reports a critical, unpatched argument injection vulnerability in the Gogs self-hosted Git service (CVSS 9.4) that allows any authenticated user to achieve remote code execution by submitting a pull request with a malicious branch name that abuses git rebase's --exec flag.[1][3][6][7] According to Rapid7, this enables full compromise of the Gogs server, access to all repositories, credential theft, and cross-tenant data exposure across all supported Gogs platforms.[3][6] From a CyberSE.AI perspective, any AI development or MLOps pipeline that relies on Gogs as a code or model artifact repository faces elevated AI supply chain risk, including potential backdooring of AI agents, training code, or model weights, and silent tampering with security-critical prompts or policies. Organizations should integrate this class of VCS RCE into their AI SBOM and dependency governance, and use continuous AI-focused red teaming to detect model or pipeline compromise resulting from repository-level attacks.