Rapid7 disclosed a critical Gogs vulnerability that can let an authenticated user achieve remote code execution by abusing a malicious branch name during the “Rebase before merging” flow. The flaw affects all supported platforms and can expose repositories, credentials, and private data across tenants, while Rapid7 has released a Metasploit module to automate exploitation. #Gogs #Rapid7 #Metasploit
Keypoints
- A critical Gogs flaw is rated 9.4 on the CVSS scale.
- A malicious branch name can inject the –exec flag into git rebase.
- Any authenticated user may gain remote code execution under the right conditions.
- The issue can affect Windows, Linux, and macOS deployments.
- Rapid7 recommends disabling registration, limiting repository creation, and auditing rebase merge settings.
Read More: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html