SCA: security update for gogs.io/gogs (GHSA-3qq3-668m-v9mj)

medium Tenable Cloud Security Plugin ID 443756

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gogs is an open source self-hosted Git service. Prior to 0.14.3, a malicious user with rights to create a
new file on a repository or wiki page can trigger a denial of service condition in which the pages
containing the listing of files will return HTTP error 500 and render the web interface unusable for the
repository or wiki. The issue is present in file internal/route/repo/wiki.go and
internal/route/repo/view.go where the pages try to recover commit information. If errors are returned
while recovering commit information, the page will return a 500 error and stop rendering, resulting in a
denial of service. This vulnerability is fixed in 0.14.3. (CVE-2025-64719)

Solution

Update the gogs.io/gogs library and its related packages to version 0.14.3 or later.

See Also

https://github.com/advisories/GHSA-3qq3-668m-v9mj

Plugin Details

Severity: Medium

ID: 443756

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 6/22/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:N/A:C

CVSS Score Source: CVE-2025-64719

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/22/2026

Vulnerability Publication Date: 6/22/2026

Reference Information

CVE: CVE-2025-64719

cwe: CWE-20