Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

A critical RCE vulnerability in Gogs allows any registered user (or any user with write access to a repo where rebase merging is enabled) to execute arbitrary code by crafting a pull request with a malicious branch name that injects the --exec flag into git rebase during 'Rebase before merging'. Rapid7 rates the flaw 9.4 CVSS, it remains unpatched as of reporting, affects Windows/Linux/macOS, and a Metasploit module exists to automate exploitation; recommended mitigations include disabling registration, restricting repository creation, and auditing rebase merge settings.