Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym_CVE-2026-52811

{
    "lastseen": "",
    "description": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component \u2014 UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write \u2014 ~git/.ssh/authorized_keys \u2192 SSH foothold, or <repo>.git/hooks/post-receive \u2192 next-push RCE. This vulnerability is fixed in 0.14.3.",
    "published": "2026-06-24T20:31:38.233Z",
    "modified": "2026-06-24T20:31:38.233Z",
    "type": "cve",
    "title": "Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym",
    "source": "GitHub_M",
    "references": "https://github.com/gogs/gogs/security/advisories/GHSA-89mr-xqfv-758m\nhttps://github.com/gogs/gogs/pull/8332\nhttps://github.com/gogs/gogs/commit/04cb8afbb01d855454e59977a1cdbf522ea1db31\nhttps://github.com/gogs/gogs/releases/tag/v0.14.3",
    "id": "CVE-2026-52811",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59",
        "CWE-61"
    ],
    "cvelist": null,
    "sourceData": "gogs gogs < 0.14.3",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gogs",
    "version": "< 0.14.3",
    "vendor": "gogs",
    "ai_description": "An attacker can exploit a vulnerability in Gogs to write outside the repository working tree via a committed parent symlink, potentially leading to SSH foothold or remote code execution.",
    "ai_severity": "Critical",
    "ai_vendor": "Gogs",
    "ai_product": "Gogs",
    "ai_version": "< 0.14.3",
    "ai_score": 9
}