Gogs patches critical zero-day enabling RCE
🛡️ Gogs has released version 0.14.3 to patch a critical argument-injection zero-day that allows authenticated non-admin users to execute remote code and access any repository, including private ones. The flaw affects all releases up to 0.14.2 and 0.15.0+dev and was reported by Rapid7 researcher Jonah Burgess. Rapid7 urges immediate upgrades and provided mitigations such as disabling open registration and restricting repo creation for instances that cannot be patched immediately.
