Gogs Zero-Day RCE Lets Any Authenticated User Execute Arbitrary Code

A critical vulnerability (CVSS 9.4, no CVE assigned yet) in Gogs — a widely used self-hosted Git service — allows any authenticated user to achieve remote code execution under certain conditions, per Rapid7 research. No patch is currently available, leaving all internet-facing Gogs instances exposed. Gogs is commonly deployed as a lightweight, self-hosted alternative to GitHub by development teams and enterprises managing private repositories. Administrators should audit exposure, restrict authenticated access to trusted users only, and monitor for upstream patch availability. The public disclosure without a fix makes this a live zero-day for the community to respond to now.