1. Forum
  2. tqwNet
  3. TQW GENTECH

  • US government told to patch high-severity Gogs security issue or

    From TechnologyDaily@1337:1/100 to All on Tuesday, January 13, 2026 15:30:09
    US government told to patch high-severity Gogs security issue or face attack

    Date:
    Tue, 13 Jan 2026 15:25:00 +0000

    Description:
    A new bug made its way to CISA's KEV, after being used as a zero-day.

    FULL STORY ======================================================================CISA added Gogs CVE-2025-8110 to its Known Exploited Vulnerabilities catalog Critical symlink bypass enables unauthenticated Remote Code Execution via PutContents API Over 700 Gogs servers compromised; agencies must patch by February 2, 2026

    The US Cybersecurity and Infrastructure Security Agency (CISA) has added a
    new bug to its Known Exploited Vulnerabilities (KEV) catalog, signaling not only that it is being actively exploited in the wild, but also ordering Federal Civilian Executive Branch (FCEB) agencies to patch it, or stop using the vulnerable software entirely.

    The software at risk is Gogs, a self-hosted Git service which lets organizations run their own private alternatives to Github, or GitLab.

    Gogs provides a web interface for hosting Git repositories, managing users
    and teams, handling pull requests, code reviews, issues, and basic project documentation, all on infrastructure under the users control. It is written
    in Go and designed to be lightweight and fast. In practice, Gogs is often
    used for internal development environments, air-gapped networks, or companies that want full control over source code access. Data for sale

    Cybersecurity researchers from Wiz Research recently found a critical symlink bypass vulnerability that allows unauthenticated users to achieve Remote Code Execution (RCE) by exploiting the PutContents API. With RCE, crooks can take over the underlying server entirely, deploying malware , exfiltrating sensitive data, and more.

    The vulnerability is now tracked as CVE-2025-8110, and was given a severity score of 8.7/10 (high). It was added to KEV on January 12, 2026, giving FCEB agencies until February 2 to apply the patch. The fix, which can be found on GiHub , adds symlink-aware path validation at all file write entry points, effectively mitigating the issue.

    In its report, BleepingComputer stated by November 1, 2025, there had already been two separate waves of attacks leveraging this vulnerability as a zero-day. Today, there are more than 1,400 Gogs servers that are exposed online, and more than 700 instances already showing signs of compromise.

    In other words, it seems that cybercriminals are having a field day with vulnerable Gogs instances, while organizations lag at patching.

    Via BleepingComputer

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/us-government-told-to-patch-high-severi ty-gogs-security-issue-or-face-attack


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)