No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out

A critical RCE vulnerability (reported CVSS 9.4) in Gogs allows authenticated users to inject arguments into the git rebase command during pull-request merges (when "Rebase before merging" is enabled), enabling arbitrary code execution across Windows, Linux, and macOS installations. The maintainers have not released a patch, a Metasploit module is public, and recommended mitigations include disabling user registration, restricting repository creation, and disabling rebase merges until a fix is available.