Rapid7 publishes unpatched Gogs argument-injection RCE with Metasploit module

Rapid7 Labs disclosed on 2026-05-28 an authenticated-RCE zero-day in Gogs, the open-source self-hosted Git service. The root cause is in the Merge() function inside internal/database/pull.go: when the "Rebase before merging" strategy is invoked on a pull request, Gogs passes the source-branch name unsanitised to process.ExecDir, bypassing the safer git-module wrappers. An attacker creates a branch named e.g. --exec=<command>; when git rebase runs, that flag is interpreted as a --exec argument and the command executes under the Gogs service account. Affected: Gogs 0.14.2 and 0.15.0+dev (commit b53d3162); all prior versions that support the rebase-merge strategy are likely affected too. The maintainer acknowledged the report on 2026-03-28 (reported 2026-03-17) but has not shipped a fix; Rapid7 published after the standard 90-day window expired. Rapid7 also released a full Metasploit module covering Windows and Linux targets. Shodan shows ~1,141 internet-facing Gogs instances. Class is CWE-88 argument injection — same technique family as CVE-2024-39930 / 39932 / 39933 in prior Gogs disclosures. The Hacker News writeup corroborates and adds that no admin privileges are required, only account creation and repository access.

Why it matters to us: Self-hosted Gogs is common in European public-sector code and research infrastructure as a lightweight GitHub alternative. Until a patched fork (Gitea / Forgejo) is adopted, set DISABLE_REGISTRATION = true in app.ini, disable the Rebase before merging strategy under instance settings, and watch for git child processes carrying --exec under the Gogs binary's process tree (Sysmon EID 1 / auditd EXECVE).

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

• Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
• More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
• Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
• Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
• SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
• RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

Rapid7's Q1 2026 report (published 2026-05-21, covering Jan–Mar 2026 IR data, covered 2026-05-23) independently finds vulnerability exploitation as the top initial-access vector at ~38%. Read alongside the Verizon DBIR, the two datasets agree on direction even where the absolute percentages differ (different windows, different telemetry) — the synthesis a daily reader could not see is that this is a corroborated structural change, not a single-vendor artefact. For CH/EU defenders this argues for prioritising edge-device and public-facing-application patch SLAs over generic awareness programmes.