Labs
Short research notes on newly disclosed vulnerabilities: the problem, the payload, and the fix.
- highCVE-2026-54353
CVE-2026-54353: @budibase/backend-core SSRF DNS Rebinding Bypass
Authenticated Budibase users can trick the SSRF blacklist into approving a request that actually connects to an internal host, by using a DNS rebinding hostname that returns a public IP during validat
- highCVE-2026-52798
CVE-2026-52798: Gogs Stored XSS in .ipynb Notebook Preview
A stored XSS flaw in Gogs lets any user with repository write access embed a javascript: link inside a Jupyter notebook file, which executes arbitrary JavaScript in a viewer's browser when they click
- highCVE-2026-52799
CVE-2026-52799: Gogs Missing Authorization in Attachment Download
Gogs serves issue and release attachment files to anyone who knows the UUID, with no check that the requester can actually view the repository the attachment belongs to.
- highCVE-2026-52801
CVE-2026-52801: Gogs Mirror Settings SSRF and Local Repository Import
Any authenticated Gogs user can bypass the protection on the New Migration feature by updating a mirrored repository's address to a local filesystem path or internal URL, letting them read any repo th
- highCVE-2026-55173
CVE-2026-55173: AVideo sanitizeFFmpegCommand OS Command Injection via Ampersand Bypass
AVideo's incomplete patch for a prior command injection bug still lets an attacker run arbitrary OS commands on the encoder server by slipping a bare '&' shell operator past the sanitizer.
- highCVE-2026-52800
CVE-2026-52800: Gogs CSRF Leading to Organization Owner Takeover
A missing CSRF check on Gogs organization team management endpoints lets an attacker hijack an org by tricking a logged-in owner into opening a crafted link.
- highCVE-2026-52805
CVE-2026-52805: Gogs Migration Redirect Bypass SSRF (Internal Repository Theft)
Gogs lets any authenticated user steal internal Git repositories by submitting a migration URL that redirects to a private network address, bypassing the hostname blocklist because only the initial UR
- highCVE-2026-52807
CVE-2026-52807: Gogs Stored DOM-based XSS via Milestone Name on New Issue Page
A repository collaborator can store a JavaScript payload inside a milestone name that silently executes in any visitor's browser the moment they open the New Issue page and interact with the milestone
- criticalCVE-2026-52806
CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection
Any authenticated Gogs user can run arbitrary commands on the server by naming a git branch starting with --exec= and opening a pull request that uses the Rebase merge style.
- criticalCVE-2026-52811
CVE-2026-52811: Gogs UploadRepoFiles Arbitrary File Write via Parent Symlink
An authenticated Gogs user with repository write access can overwrite any file the server process can reach, including SSH authorized_keys and git hooks, by uploading a file whose name contains a back
- highCVE-2026-52808
CVE-2026-52808: Gogs Write-Level Collaborator Authorization Bypass on Admin API Endpoints
Any repository collaborator with write access can call three admin-only Gogs API endpoints to hijack the Issues or Wiki tab with an attacker-controlled redirect URL, because the API routes use a weake
- highCVE-2026-52810
CVE-2026-52810: Gogs Git Smart HTTP Authorization Bypass via service Query Parameter Confusion
A read-only collaborator on a Gogs instance can push commits to a repository they should never be able to write to, by forging a single query parameter on the push HTTP request.