CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-52806
CriticalEPSS 59%

Gogs before version 0.14.3 allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the 'Rebase before merging' merge operation.

CVE-2026-52805
High

In Gogs before version 0.14.3, an SSRF vulnerability was found in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to an internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository.

CVE-2026-52804
Medium

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.

CVE-2026-52802
Medium

Gogs is an open source Git service that prior to version 0.14.3 had an open redirect vulnerability. Attacker-controlled redirect_to parameters could bypass validation, allowing redirection to arbitrary external sites.

CVE-2026-52801
High

Gogs is an open source Git service that prior to version 0.14.3 had a vulnerability in the mirror settings functionality, allowing authenticated users to import local repositories without proper protection. The issue stems from a lack of validation in the SaveAddress function.

CVE-2026-52800
High

Gogs before version 0.14.3 allows organization team member management via GET requests without CSRF protection. An attacker can exploit this vulnerability by tricking a logged-in organization owner into visiting a crafted link, resulting in adding an attacker-controlled user to the Owners team and gaining organization owner-equivalent privileges.

CVE-2026-52799
High

Gogs is an open source Git service that prior to version 0.14.3 allowed downloading attachments without verifying user permissions. Unauthenticated users could download attachments from private repositories.

CVE-2026-52798
High

Gogs is an open-source Git service that prior to version 0.14.3 had a vulnerability allowing the execution of malicious JavaScript code. Although .ipynb previews were sanitized on the server side, their content was re-rendered on the client side without proper sanitization, leading to the possibility of XSS attacks.

CVE-2026-52797
High

Gogs is an open source Git service that, prior to version 0.14.0, allowed authorized users to manipulate the value passed to the git diff command. This enabled users to bypass filtering and write the comparison result to any arbitrary location.

CVE-2026-52796
Low

Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to a panic error when rendering a specially crafted issue index pattern, resulting in denial of service.

CVE-2026-52795
Medium

Gogs is an open-source Git service that in version 0.14.3 and earlier allows authenticated users to watch private repositories they do not have access to. The issue arises from an incorrectly implemented access check in the Watch API, enabling attackers to access information from private repositories.

CVE-2026-50129
High

Mastodon prior to versions 4.5.11, 4.4.18, and 4.3.24 contains a DoS vulnerability due to missing exception handling in the math sanitizer. Malformed <math> nodes can lead to a DoS of the entire server or targeted user services, depending on the actions involving those nodes.

CVE-2026-50128
Medium

Mastodon, a social network server based on ActivityPub, has a vulnerability in versions from 4.3.0 to 4.5.11 and 4.4.18 that allows modification of the attributionDomains value in signed activities. An error in the definition of this term makes Linked Data signatures ineffective.

CVE-2026-49278
Medium

In the visitors.info endpoint of Rocket.Chat, a token is returned in the API response. There is no legitimate use case for the token to be present in the response, and its exposure poses a security risk. The vulnerability is fixed in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVE-2026-49277
Low

Vulnerability in Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 where OAuth bearer or refresh tokens are not revoked when a user is deactivated. A deactivated user can continue using an existing access token or mint a fresh token from a refresh token.

CVE-2026-47733
Medium

In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.

CVE-2026-47267
High

Gogs is an open source self-hosted Git service. In versions prior to 0.14.3, the fix for CVE-2022-1285 prevented adding webhooks or running them with URLs whose hostname resolves in localCIDRs. However, webhooks still follow redirects allowing access to hostnames inside localCIDRs.

CVE-2026-46423
Critical

A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 causes the SAML service provider implementation to silently skip SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting.

CVE-2026-45757
Low

Rocket.Chat prior to versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allowed users deactivated through users.deactivateIdle to continue using already-issued login tokens. A user marked inactive by an administrator could still access authenticated REST endpoints with the old token.

CVE-2026-45689
Critical

An unauthenticated attacker can obtain a valid OAuth access token for any Rocket.Chat user by sending a single HTTP POST with MongoDB query operators to the /oauth/token endpoint. The OAuth2 server does not validate that grant parameters are strings, allowing substitution of values like {"$ne": null} and receiving an access token for the first matched user.

PreviousPage 199 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS