No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out

Security No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out Researcher reported the vuln in March. Maintainers haven't responded to his messages since Jessica Lyons Jessica Lyons Published fri 29 May 2026 // 19:26 UTC There's a huge hole and no one is patching it thus far. A critical, remote code execution (RCE) bug in Gogs, a popular open-source self-hosted Git service, can be exploited by any authenticated user - no special privileges required - on a default installation to fully compromise vulnerable servers, steal credentials and multi-factor authentication secrets, or even modify code in hosted repositories in a wide-reaching supply-chain attack . A security researcher reported the 9.4-rated flaw to project maintainers in mid-March. It still doesn’t have a patch. It does, however, have a public Metasploit module - so we’d expect reports of in-the-wild exploitation to start very soon. MORE CONTEXT AI eyes scanning for bugs create a worrisome Linux security trend Anthropic to release Mythos-class models to the public How to guarantee a speaker gig: Hack the system. Literally Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops The vulnerability affects all supported platforms, including Windows, Linux, and macOS, and installation methods, according to Rapid7 researcher Jonah Burgess, who found and reported the bug to Gogs maintainers via GitHub (GHSA-qf6p-p7ww-cwr9) on March 17. REG AD After they initially acknowledged that they received the report on March 28, Burgess says he never heard back from the Gogs team - not when he asked them for a status update, nor when he reminded them of the vulnerability disclosure date and asked if they wanted an extension to fix the flaw before its release. REG AD “We have not received any further communication from Gogs, and the GHSA has remained unanswered since March 28,” Burgess told The Register . “Because there is currently no official