U.S. CISA adds a flaw in Gogs to its Known Exploited Vulnerabilities catalog
January 12, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Gogs to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Gogs path traversal vulnerability, tracked as CVE-2025-8110 (CVSS Score of 8.7), to its Known Exploited Vulnerabilities (KEV) catalog.
Gogs (Go Git Service) is a lightweight, open-source, self-hosted Git service written in Go.
The vulnerability is an improper symbolic link handling in the PutContents API in Gogs that allows local execution of code.
An improper symbolic link is a symlink that is created or handled in an unsafe way, allowing it to point to files or directories outside the intended or permitted scope.
Wiz Research found the vulnerability while probing a malware incident in July, and the flaw was addressed a week later.
“A symlink bypass (CVE-2025-8110) of a previously patched RCE (CVE-2024-55947) allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution (RCE).” reported Wiz Research. “We identified over 700 compromised instances public-facing on the internet.”
The flaw CVE-2025-8110 is a bypass for an earlier RCE vulnerability tracked as CVE-2024-55947), which was originally discovered by ManassehZhou.
Gogs had a previous flaw (CVE-2024-55947) in the PutContents API that let attackers write files outside a repository and run commands. The developers fixed it with path validation, but they didn’t check for symbolic links.
The new bypass (CVE-2025-8110) takes advantage of Git’s symlink feature. An attacker can create a symlink in a repository that points to a file outside the repo, then use the API to write through the symlink. The system follows the link and overwrites the target file, like .git/config, letting the attacker execute commands. This shows a repeated problem with symlink handling in Gogs.
The researchers explained that a malware infection on a customer’s cloud workload revealed a publicly exposed Gogs service. Suspicious repositories with random 8-character names, created shortly before the infection, indicated an automated attack. Expanding the search found approximately 1,400 exposed Gogs instances, with over 700 compromised, all showing the same patterns, suggesting a single actor or group using the same automated tools.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 2, 2026.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)