CVE-2026-25921

CriticalPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

EPSS Score 0.0003 9.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25921 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Gogs Gogs. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by mandating upgrades to Gogs version 0.14.2 or later to patch the overwritable LFS object vulnerability.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, preventing unauthenticated attackers from overwriting LFS objects across repositories.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

SI-7 employs integrity checks to detect unauthorized modifications to LFS objects, mitigating supply-chain attacks by identifying tampered binary files before use.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploit against public-facing Git service (T1190) directly enables stored LFS object overwrite, mapping to stored data manipulation (T1565.001) for integrity compromise and supply-chain injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in…

version 0.14.2.

Deeper analysisAI

CVE-2026-25921 affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.2. The vulnerability stems from overwritable Git Large File Storage (LFS) objects across different repositories, enabling malicious overwriting of all LFS objects. This flaw, classified under CWE-345 (Insufficient Verification of Data Authenticity), carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L), indicating critical severity due to high integrity impact with changed scope.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. By overwriting LFS objects in arbitrary repositories, attackers enable supply-chain attacks, potentially injecting malicious content into repositories used by other users or organizations, compromising the integrity of large binary files without affecting confidentiality or causing significant availability disruption.

The issue has been addressed in Gogs version 0.14.2, as detailed in the project's security advisory (GHSA-cj4v-437j-jq4c), release notes, associated pull request (#8166), and patching commit (81ee8836445ac888d99da8b652be7d5cbc5c4d5c). Security practitioners should prioritize upgrading to version 0.14.2 or later to mitigate the risk.

Details

CWE(s): CWE-345

Affected Products

gogs

≤ 0.14.2

CVEs Like This One

CVE-2026-26194Same product: Gogs Gogs

CVE-2025-8110Same product: Gogs Gogs

CVE-2025-64175Same product: Gogs Gogs

CVE-2025-64111Same product: Gogs Gogs

CVE-2026-25232Same product: Gogs Gogs

CVE-2026-26276Same product: Gogs Gogs

CVE-2026-25242Same product: Gogs Gogs

CVE-2026-24135Same product: Gogs Gogs

CVE-2026-26022Same product: Gogs Gogs

CVE-2026-33143Shared CWE-345

References

https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
Patch · security-advisories@github.com
https://github.com/gogs/gogs/pull/8166
Issue Tracking · security-advisories@github.com
https://github.com/gogs/gogs/releases/tag/v0.14.2
Release Notes · security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com