gogs

v0.14.2 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 3mo Git Forges

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Topics

docker git go gogs mysql postgresql

+5 more

raspberry-pi self-hosted source-code-management sqlite version-control

Summary

AI summary

Patched six security vulnerabilities including XSS attacks, LFS object overwrite, and command injection, plus removed insecure API token query parameter support requiring Authorization header usage instead.

Breaking Changes

Support for passing API access tokens via URL query parameters removed; use Authorization header instead

Security Fixes

GHSA-gmf8-978x-2fg2 (Cross-repository LFS object overwrite)
GHSA-xrcr-gmf5-2r8j (Stored XSS via data URI in issue comments)
GHSA-v9vm-r24h-6rqm (Release tag option injection)
GHSA-vgvf-m4fw-938j (Stored XSS in branch/wiki views)
GHSA-vgjm-2cpf-4g7c (DOM-based XSS via issue meta)
GHSA-x9p5-w45c-7ffc (API token exposure via query parameters)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gogs

Get notified when new releases ship.

About gogs

Gogs is a painless self-hosted Git service

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]