CVE Catalog

CVE-2026-47267

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

Gogs is an open source self-hosted Git service. In versions prior to 0.14.3, the fix for CVE-2022-1285 prevented adding webhooks or running them with URLs whose hostname resolves in localCIDRs. However, webhooks still follow redirects allowing access to hostnames inside localCIDRs.

Risk Assessment

This vulnerability may lead to unauthorized access to internal organizational resources through the exploitation of redirects in webhooks. It could result in the exposure of sensitive data or enable attacks on local infrastructure.

Recommendation

It is recommended to update Gogs to version 0.14.3 or later to eliminate this vulnerability. Additionally, conducting an audit of webhook configurations is advisable to minimize risk.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS