Skip to content

Release history

gogs releases

Gogs is a painless self-hosted Git service

Back to tool Latest release

All releases

4 shown

v0.14.2 Security relevant
Breaking changes
  • Support for passing API access tokens via URL query parameters removed; use Authorization header instead
Security fixes
  • GHSA-gmf8-978x-2fg2 (Cross-repository LFS object overwrite)
  • GHSA-xrcr-gmf5-2r8j (Stored XSS via data URI in issue comments)
  • GHSA-v9vm-r24h-6rqm (Release tag option injection)
View release on GitHub
v0.14.1 Breaking risk
Breaking changes
  • Go version requirement increased to 1.25
  • Build tag 'cert' removed; gogs cert subcommand now always available
  • Switched to pure-Go SQLite driver; CGO no longer required
Security fixes
  • Unauthenticated file upload (GHSA-fc3h-92p8-h36f)
  • Protected branch bypass in web UI (GHSA-2c6v-8r3v-gh6p)
  • Authorization bypass allows cross-repository label modification (GHSA-cv22-72px-f4gh)
Notable features
  • Support comparing tags in addition to branches
  • Environment variable expansion in app.ini configuration
  • Switched to pure-Go SQLite driver (CGO no longer required)
View release on GitHub
v0.14.0 Maintenance

>[!CAUTION] > This release was pulled back due to issues with builtin SSH server clone hanging, please use [0.14.1](https://github.com/gogs/gogs/releases/tag/v0.14.1) instead.

View release on GitHub
v0.13.4 Security relevant
Breaking changes
  • PAM tag no longer included in release archives
Security fixes
  • DoS in repository mirror sync (GHSA-cr88-6mqm-4g57)
  • RCE in repository put contents API (GHSA-gg64-xxr9-qhjp)
  • Arbitrary file deletion via path traversal in wiki page update (GHSA-jp7c-wj6q-3qf2)
View release on GitHub

Beta — feedback welcome: [email protected]