Skip to content
gogs
Git Forges
A simple, stable self‑hosted Git service that can be deployed as an independent binary on Linux, macOS, Windows and ARM systems.
Go
·
Latest v0.14.2 · 3mo ago
Security brief →
Features
-
User dashboard with activity timeline
-
Repository access via SSH, HTTP and HTTPS
-
Organization, user and repository management
v0.14.2
Security relevant
·
Breaking changes
- Support for passing API access tokens via URL query parameters removed; use Authorization header instead
Security fixes
- GHSA-gmf8-978x-2fg2 (Cross-repository LFS object overwrite)
- GHSA-xrcr-gmf5-2r8j (Stored XSS via data URI in issue comments)
- GHSA-v9vm-r24h-6rqm (Release tag option injection)
v0.14.1
Breaking risk
·
Breaking changes
- Go version requirement increased to 1.25
- Build tag 'cert' removed; gogs cert subcommand now always available
- Switched to pure-Go SQLite driver; CGO no longer required
Security fixes
- Unauthenticated file upload (GHSA-fc3h-92p8-h36f)
- Protected branch bypass in web UI (GHSA-2c6v-8r3v-gh6p)
- Authorization bypass allows cross-repository label modification (GHSA-cv22-72px-f4gh)
Notable features
- Support comparing tags in addition to branches
- Environment variable expansion in app.ini configuration
- Switched to pure-Go SQLite driver (CGO no longer required)
v0.13.4
Security relevant
·
Breaking changes
- PAM tag no longer included in release archives
Security fixes
- DoS in repository mirror sync (GHSA-cr88-6mqm-4g57)
- RCE in repository put contents API (GHSA-gg64-xxr9-qhjp)
- Arbitrary file deletion via path traversal in wiki page update (GHSA-jp7c-wj6q-3qf2)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
About
Languages
Go
·
Go Template
·
TypeScript
Install & Platforms
Platforms
linux
macos
windows
arm64
Search tools, categories, lists, and users
Use ↑↓ to navigate, Enter to open, Esc to close
No results for ""
⌘K to open
↑↓ navigate
⏎ open
