SCA: security update for gogs.io/gogs (GHSA-2c6v-8r3v-gh6p)

high Tenable Cloud Security Plugin ID 437791

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass
vulnerability which allows any repository collaborator with Write permissions to delete protected branches
(including the default branch) by sending a direct POST request, completely bypassing the branch
protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation
from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be
restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion
via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete
bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write
permissions to the target repository, protected branches configured to the target repository and access to
the Gogs web interface. This issue has been fixed in version 0.14.1. (CVE-2026-25232)

See Also

https://github.com/advisories/GHSA-2c6v-8r3v-gh6p

Plugin Details

Severity: High

ID: 437791

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/18/2026

Updated: 7/6/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.48

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25232

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 7.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2026

Vulnerability Publication Date: 2/17/2026

Reference Information

CVE: CVE-2026-25232

cwe: CWE-863