Ravie LakshmananMay 28, 2026Vulnerability / Open Source
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions.
The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier.
"The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said.
Rebasing is a Git action that's used to take a sequence of commits from one feature branch and replay them on top of another base branch to create a linear project history. While "git rebase" solves the same problem as "git merge" -- i.e., integrating changes from one branch into another -- the former rewrites the project history by creating new commits for each commit in the original branch.
