Gogs Path Traversal Flaw Under Active Exploitation

An important alert is issued recently regarding a path traversal vulnerability that is being actively exploited in the wild in the self-hosted Git service Gogs.

On January 12, 2026, the vulnerability, tracked as CVE-2025-8110, was added to CISA’s Known Exploited Vulnerabilities (KEV) list, indicating that threat actors were actively exploiting it.

Gogs is impacted by CVE-2025-8110, which is caused by incorrect symbolic link handling in the PutContents API. Attackers can bypass restricted directories and perhaps run arbitrary code on susceptible computers due to this path traversal vulnerability.

CWE-22, which details incorrect pathname limiting to restricted folders, is linked to the vulnerability.

Path traversal vulnerabilities arise when attackers utilize specific elements, including “../” sequences, to access sensitive files or run malicious code by navigating outside the specified directories.

In the instance of Gogs, the symbolic link handling susceptibility gives attackers the chance to change file paths and execute code.

Threat actors are actively using this vulnerability in actual attacks, as evidenced by CISA’s submission of CVE-2025-8110 to the KEV catalog.

Organizations using impacted Gogs installations face a serious security risk due to the flaw’s potential for code execution, even if it is yet unclear if ransomware operations are using it.

Binding Operational Directive (BOD) 22-01 requires federal agencies to fix this vulnerability by February 2, 2026.

It is recommended that organizations implement updates and mitigations provided by vendors right away. Administrators should adhere to BOD 22-01’s recommendations while deploying cloud services.

CISA advises stopping the usage of the vulnerable product if mitigations are not available.