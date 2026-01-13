CISA added Gogs CVE-2025-8110 to its Known Exploited Vulnerabilities catalog

Critical symlink bypass enables unauthenticated Remote Code Execution via PutContents API

Over 700 Gogs servers compromised; agencies must patch by February 2, 2026

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, signaling not only that it is being actively exploited in the wild, but also ordering Federal Civilian Executive Branch (FCEB) agencies to patch it, or stop using the vulnerable software entirely.

The software at risk is Gogs, a self-hosted Git service which lets organizations run their own private alternatives to Github, or GitLab.

Gogs provides a web interface for hosting Git repositories, managing users and teams, handling pull requests, code reviews, issues, and basic project documentation, all on infrastructure under the user’s control. It is written in Go and designed to be lightweight and fast. In practice, Gogs is often used for internal development environments, air-gapped networks, or companies that want full control over source code access.

Data for sale

Cybersecurity researchers from Wiz Research recently found a critical symlink bypass vulnerability that allows unauthenticated users to achieve Remote Code Execution (RCE) by exploiting the PutContents API. With RCE, crooks can take over the underlying server entirely, deploying malware, exfiltrating sensitive data, and more.

The vulnerability is now tracked as CVE-2025-8110, and was given a severity score of 8.7/10 (high). It was added to KEV on January 12, 2026, giving FCEB agencies until February 2 to apply the patch. The fix, which can be found on GiHub , adds symlink-aware path validation at all file write entry points, effectively mitigating the issue.

In its report, BleepingComputer stated by November 1, 2025, there had already been two separate waves of attacks leveraging this vulnerability as a zero-day. Today, there are more than 1,400 Gogs servers that are exposed online, and more than 700 instances already showing signs of compromise.

In other words, it seems that cybercriminals are having a field day with vulnerable Gogs instances, while organizations lag at patching.

