CVE-2026-47267
HighCVSS 8.3Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
Gogs is an open source self-hosted Git service. In versions prior to 0.14.3, the fix for CVE-2022-1285 prevented adding webhooks or running them with URLs whose hostname resolves in localCIDRs. However, webhooks still follow redirects allowing access to hostnames inside localCIDRs.
Risk Assessment
This vulnerability may lead to unauthorized access to internal organizational resources through the exploitation of redirects in webhooks. It could result in the exposure of sensitive data or enable attacks on local infrastructure.
Recommendation
It is recommended to update Gogs to version 0.14.3 or later to eliminate this vulnerability. Additionally, conducting an audit of webhook configurations is advisable to minimize risk.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.

