In Gogs version <=0.14.2 a malicious user with rights to create a new file or wiki entry can cause persistent denial of service in repository and wiki pages by creating files with names that are interpreted as malformed Git pathspecs, resulting in HTTP 500 errors when wiki index and repo index pages are viewed.

More information and root cause analysis in github’s security advisory: GHSA-3qq3-668m-v9mj

Disclosure timeline

05/11/2025 Opened security issue on github
12/11/2025 Maintainers acknowledged the vulnerability
12/11/2025 CVE IDs requested
12/11/2025 CVE IDs reserved
07/06/2026 Release with fix
19/06/2026 Disclosure