Metasploit

vulnerability 2026-05-29
Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch
Rapid7 disclosed an unpatched CVSS 9.4 RCE in Gogs. A malicious branch name injects --exec into git rebase during 'Rebase before merging,' giving any registered user code execution on the server. No CVE, no fix — only config-level mitigations.
gogs git-server self-hosted rce argument-injection git-rebase metasploit zero-day

Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch