CVE-2026-25921

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25921

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25921.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25921

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-05T18:36:30.692Z

Modified

2026-04-10T05:40:50.131727Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L CVSS Calculator

Summary

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Details

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.

Database specific

{
    "cwe_ids": [
        "CWE-345"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25921.json"
}

References

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type: GIT
Repo: https://github.com/gogs/gogs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb

Affected versions

v0.*

v0.10

v0.10.18

v0.10.8

v0.10rc

v0.11

v0.11.19

v0.11.29

v0.11.33

v0.11.34

v0.11.4

v0.11.43

v0.11.53

v0.11.66

v0.11.79

v0.11.86

v0.11.91

v0.11rc

v0.14.0

v0.14.0-rc.1

v0.14.1

v0.14.1-rc.1

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.11

v0.5.13

v0.5.2

v0.5.5

v0.5.8

v0.5.9

v0.6.1

v0.6.15

v0.6.3

v0.6.9

v0.7.0

v0.7.19

v0.7.22

v0.7.33

v0.7.6

v0.8.0

v0.8.10

v0.8.25

v0.8.43

v0.9.0

v0.9.113

v0.9.128

v0.9.13

v0.9.141

v0.9.46

v0.9.48

v0.9.60

v0.9.71

v0.9.97

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25921.json"