CVE-2026-25921CRITICAL 9.3EPSS p24.3%

CVE-2026-25921CVE-2026-25921

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Scoring

CVSS 3.19.3 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
EPSS0.33% probability of exploitation · percentile 24.3% · 2026-06-18T12:00:27Z
Published2026-03-05
Last modified2026-03-06

Underlying weaknesses· 1

CWE-345

References

  1. https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
  2. https://github.com/gogs/gogs/pull/8166
  3. https://github.com/gogs/gogs/releases/tag/v0.14.2
  4. https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c

1

TypeTargetConfidenceTier
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64111
CVE
CVE-2026-25242
CVE
CVE-2026-25232
CVE
CVE-2026-24135
CVE
CVE-2026-45571
CVE
CVE-2025-64175
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.