CVE-2026-52801: Gogs has the ability to import local repositories via Mirror Settings

June 23, 2026

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

References

github.com/advisories/GHSA-wv27-2vqp-j7g5
github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c
github.com/gogs/gogs/pull/8225
github.com/gogs/gogs/releases/tag/v0.14.3
github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5
nvd.nist.gov/vuln/detail/CVE-2026-52801

Code Behaviors & Features

Detect and mitigate CVE-2026-52801 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →