New Gogs zero-day flaw lets hackers get remote code execution

An unpatched zero-day argument-injection RCE in the Gogs self-hosted Git service (affecting Gogs 0.14.2 and 0.15.0+dev) allows attackers to execute arbitrary code via malicious branch names when rebase-merging; the flaw can be exploited on default-configured, Internet-facing instances because open registration and unlimited repo creation enable attackers to create accounts and repos to trigger the exploit. The researcher reported the issue in March, maintainers have acknowledged but not patched it, and scanners (Shadowserver/Shodan) identify hundreds to thousands of exposed Gogs instances, raising significant risk to hosted repositories, credentials, and servers.