US government told to patch high-severity Gogs security issue or face attack

Serious Gogs bug has made its way to CISA's KEV

News By Sead Fadilpašić published 13 January 2026

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• CISA added Gogs CVE-2025-8110 to its Known Exploited Vulnerabilities catalog
• Critical symlink bypass enables unauthenticated Remote Code Execution via PutContents API
• Over 700 Gogs servers compromised; agencies must patch by February 2, 2026

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, signaling not only that it is being actively exploited in the wild, but also ordering Federal Civilian Executive Branch (FCEB) agencies to patch it, or stop using the vulnerable software entirely.

The software at risk is Gogs, a self-hosted Git service which lets organizations run their own private alternatives to Github, or GitLab.

Gogs provides a web interface for hosting Git repositories, managing users and teams, handling pull requests, code reviews, issues, and basic project documentation, all on infrastructure under the user’s control. It is written in Go and designed to be lightweight and fast. In practice, Gogs is often used for internal development environments, air-gapped networks, or companies that want full control over source code access.

Data for sale

Cybersecurity researchers from Wiz Research recently found a critical symlink bypass vulnerability that allows unauthenticated users to achieve Remote Code Execution (RCE) by exploiting the PutContents API. With RCE, crooks can take over the underlying server entirely, deploying malware, exfiltrating sensitive data, and more.

The vulnerability is now tracked as CVE-2025-8110, and was given a severity score of 8.7/10 (high). It was added to KEV on January 12, 2026, giving FCEB agencies until February 2 to apply the patch. The fix, which can be found on GiHub, adds symlink-aware path validation at all file write entry points, effectively mitigating the issue.

In its report, BleepingComputer stated by November 1, 2025, there had already been two separate waves of attacks leveraging this vulnerability as a zero-day. Today, there are more than 1,400 Gogs servers that are exposed online, and more than 700 instances already showing signs of compromise.

In other words, it seems that cybercriminals are having a field day with vulnerable Gogs instances, while organizations lag at patching.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors