CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Gogs before version 0.14.3 allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the 'Rebase before merging' merge operation.
In Gogs before version 0.14.3, an SSRF vulnerability was found in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to an internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository.
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.
Gogs is an open source Git service that prior to version 0.14.3 had an open redirect vulnerability. Attacker-controlled redirect_to parameters could bypass validation, allowing redirection to arbitrary external sites.
Gogs is an open source Git service that prior to version 0.14.3 had a vulnerability in the mirror settings functionality, allowing authenticated users to import local repositories without proper protection. The issue stems from a lack of validation in the SaveAddress function.
Gogs before version 0.14.3 allows organization team member management via GET requests without CSRF protection. An attacker can exploit this vulnerability by tricking a logged-in organization owner into visiting a crafted link, resulting in adding an attacker-controlled user to the Owners team and gaining organization owner-equivalent privileges.
Gogs is an open source Git service that prior to version 0.14.3 allowed downloading attachments without verifying user permissions. Unauthenticated users could download attachments from private repositories.
Gogs is an open-source Git service that prior to version 0.14.3 had a vulnerability allowing the execution of malicious JavaScript code. Although .ipynb previews were sanitized on the server side, their content was re-rendered on the client side without proper sanitization, leading to the possibility of XSS attacks.
Gogs is an open source Git service that, prior to version 0.14.0, allowed authorized users to manipulate the value passed to the git diff command. This enabled users to bypass filtering and write the comparison result to any arbitrary location.
Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to a panic error when rendering a specially crafted issue index pattern, resulting in denial of service.
Gogs is an open-source Git service that in version 0.14.3 and earlier allows authenticated users to watch private repositories they do not have access to. The issue arises from an incorrectly implemented access check in the Watch API, enabling attackers to access information from private repositories.
Mastodon prior to versions 4.5.11, 4.4.18, and 4.3.24 contains a DoS vulnerability due to missing exception handling in the math sanitizer. Malformed <math> nodes can lead to a DoS of the entire server or targeted user services, depending on the actions involving those nodes.
Mastodon, a social network server based on ActivityPub, has a vulnerability in versions from 4.3.0 to 4.5.11 and 4.4.18 that allows modification of the attributionDomains value in signed activities. An error in the definition of this term makes Linked Data signatures ineffective.
In the visitors.info endpoint of Rocket.Chat, a token is returned in the API response. There is no legitimate use case for the token to be present in the response, and its exposure poses a security risk. The vulnerability is fixed in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Vulnerability in Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 where OAuth bearer or refresh tokens are not revoked when a user is deactivated. A deactivated user can continue using an existing access token or mint a fresh token from a refresh token.
In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.
Gogs is an open source self-hosted Git service. In versions prior to 0.14.3, the fix for CVE-2022-1285 prevented adding webhooks or running them with URLs whose hostname resolves in localCIDRs. However, webhooks still follow redirects allowing access to hostnames inside localCIDRs.
A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 causes the SAML service provider implementation to silently skip SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting.
Rocket.Chat prior to versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allowed users deactivated through users.deactivateIdle to continue using already-issued login tokens. A user marked inactive by an administrator could still access authenticated REST endpoints with the old token.
An unauthenticated attacker can obtain a valid OAuth access token for any Rocket.Chat user by sending a single HTTP POST with MongoDB query operators to the /oauth/token endpoint. The OAuth2 server does not validate that grant parameters are strings, allowing substitution of values like {"$ne": null} and receiving an access token for the first matched user.

