Is gogs.io/gogs safe to use?

gogs.io/gogs has 42 known vulnerabilities on the latest version (v0.13.3). DepScope rates its health at 25/100 (critical risk).

What is the latest version of gogs.io/gogs?

The latest version of gogs.io/gogs is v0.13.3, released 2025-06-08.

Does gogs.io/gogs have known vulnerabilities?

Yes. gogs.io/gogs has 42 known vulnerabilities. See depscope.dev/pkg/go/gogs.io/gogs for details.

Is gogs.io/gogs deprecated?

No, gogs.io/gogs is actively maintained. Latest release: v0.13.3 (2025-06-08).

What are alternatives to gogs.io/gogs?

DepScope has no curated alternatives for gogs.io/gogs at this time.

What license does gogs.io/gogs use?

gogs.io/gogs is licensed under MIT.

gogs.io/gogs

govv0.13.3

License MITpermissive80 versions0 deps

/ 100

Health

do not use

gogs.io/gogs has critical vulnerabilities — do not use

Update to >= 0.13.3-0.20250608224432-110117b2e5e5 to fix known vulnerabilities

Low health score (25/100)
8 high severity vulnerabilities
2 critical vulnerabilities

Health breakdown0 – 100

10/25

maintenance

0/20

popularity

0/25

security

15/15

maturity

0/15

community

Vulnerabilities

2 critical8 high10 medium22 low

Advisories (42)

Severity	ID	Summary	Fixed in
high	GO-2026-4454	Gogs vulnerable to Stored XSS via Mermaid diagrams	0.13.4
high	CVE-2026-25232	Gogs has a Protected Branch Deletion Bypass in Web Interface	0.14.1
medium	CVE-2026-23632	Gogs user can update repository content with read-only permission	0.13.4
critical	CVE-2026-25921	Gogs: Cross-repository LFS object overwrite via missing content hash verification	0.14.2
medium	CVE-2026-22592	Gogs has a Denial of Service issue	0.13.4
medium	CVE-2026-25229	Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs	0.14.0
medium	CVE-2026-25242	Unauthenticated File Upload in Gogs	0.14.1
critical	CVE-2025-64111	Gogs's update .git/config file allows remote command execution	0.13.4
medium	CVE-2026-25120	Gogs Allows Cross-Repository Comment Deletion via DeleteComment	0.14.0
high	CVE-2026-24135	Gogs vulnerable to arbitrary file deletion via Path Traversal in wiki page update	0.13.4
high	CVE-2025-8110	Gogs vulnerable to a bypass of CVE-2024-55947	—
medium	CVE-2026-23633	Gogs has arbitrary file read/write via Path Traversal in Git hook editing	0.13.4
high	CVE-2025-64175	Gogs Vulnerable to 2FA Bypass via Recovery Code	0.13.4
medium	CVE-2025-65852	Gogs has authorization bypass in repository deletion API	0.13.4
high	CVE-2026-26194	Gogs: Release tag option injection in release deletion	0.14.2
high	CVE-2026-26276	Gogs: DOM-based XSS via milestone selection	—
medium	CVE-2026-26195	Gogs: Stored XSS in branch and wiki views through author and committer names	—
medium	CVE-2026-26196	Gogs: Access tokens get exposed through URL params in API requests	—
medium	CVE-2025-47943	Gogs XSS allowed by stored call in PDF renderer	0.13.3-0.20250608224432-110117b2e5e5
high	CVE-2026-26022	Gogs: Stored XSS via data URI in issue comments	0.14.2

... and 22 more

Threat intelligence

2 actively exploited (CISA KEV)1 likely exploited (EPSS ≥ 0.5)

Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/gogs.io/gogs

Last updated · 2025-06-08T22:55:56Z