{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T14:08:40.955","vulnerabilities":[{"cve":{"id":"CVE-2026-25242","sourceIdentifier":"security-advisories@github.com","published":"2026-02-19T07:17:45.687","lastModified":"2026-02-19T19:46:19.810","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1."},{"lang":"es","value":"Gogs es un servicio Git autoalojado de código abierto. Las versiones 0.13.4 e inferiores exponen endpoints de carga de archivos no autenticados por defecto. Cuando la configuración global RequireSigninView está deshabilitada (por defecto), cualquier usuario remoto puede cargar archivos arbitrarios al servidor a través de /releases/attachments y /issues/attachments. Esto permite que la instancia sea utilizada indebidamente como un host de archivos público, lo que podría llevar al agotamiento del disco, al alojamiento de contenido o a la entrega de malware. Los tokens CSRF no mitigan este ataque debido a la emisión de cookies del mismo origen. Este problema ha sido solucionado en la versión 0.14.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*","versionEndExcluding":"0.14.1","matchCriteriaId":"44DD72D9-ED94-407D-8C71-6C2B039C65BB"}]}]}],"references":[{"url":"https://github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gogs/gogs/pull/8128","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/gogs/gogs/releases/tag/v0.14.1","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f","source":"security-advisories@github.com","tags":["Exploit","Patch","Vendor Advisory"]}]}}]}