New Gogs 0-Day Flaw Enables Remote Code Execution on Servers

A critical (CVSS v4 9.4) zero-day in Gogs permits authenticated users to execute arbitrary commands on the server by embedding Git’s "--exec" flag in branch names when using the "Rebase before merging" option; Rapid7 confirmed the flaw and released a Metasploit module while no official patch yet exists, so administrators should disable open registration, restrict repository creation and merges, audit for suspicious branch names and log errors, and place instances behind access controls until fixed.