Critical Gogs Zero-Day Exploited in the Wild, Threatens Source Code Repositories

A critical zero-day vulnerability in the open-source Git service Gogs is now under active exploitation, enabling attackers to execute remote code and access private repositories on unpatched, internet-facing instances. With a Metasploit module already released, the threat is weaponized and poses an immediate risk to organizations using Gogs for source code management.

Patch Gogs Immediately to Block Active Exploitation

The highest priority action for today is patching all Gogs instances to version 0.14.0 or later. The vulnerability, a command injection flaw, is triggered via a malicious branch name during a rebase operation. An attacker can craft a branch name containing --exec <command> and request a rebase to achieve remote code execution. The availability of a Metasploit module confirms the exploit’s reliability in the wild. If immediate patching is impossible, block external access to the Gogs web interface at the / and /api/v1 paths via network firewall rules as a critical stopgap measure.

Review Logs and Harden Against Related Infrastructure Threats

Organizations must review Gogs audit logs for any git operations containing --exec in branch names or unusual rebase requests from unauthenticated or new users. Concurrently, deploy Web Application Firewall (WAF) rules to block HTTP requests containing patterns like --exec or ${ in parameters, headers, or body data targeting Gogs endpoints. This threat landscape extends to other critical infrastructure; ensure Apache ActiveMQ instances are patched against the related CVE-2023-46604 RCE flaw mentioned in the same Metasploit update, and restrict network access to its ports (61616, 8161).

Mitigate Emerging Firmware and Industrial Control System Risks

Beyond application servers, firmware-level threats are emerging. Two new CVEs, CVE-2026-0116 and CVE-2026-0114, affect Samsung Exynos chipsets, enabling out-of-bounds writes in the Multi Format Codec driver and modem firmware, respectively. These could lead to remote code execution. Identify affected devices, apply vendor firmware updates, and consider disabling unnecessary kernel modules (s5p_mfc) or segmenting networks to isolate vulnerable devices. Furthermore, Iranian-affiliated APT actors are actively exploiting internet-facing Programmable Logic Controllers (PLCs). Immediately block external internet access to Rockwell Automation/Allen-Bradley PLCs on TCP ports 44818, 2222, and 80.

Defend Against Sophisticated Phishing and Supply Chain Attacks

The threat actor landscape remains broad. NSO Group continues phishing attacks via WhatsApp, using fake security alerts. Enable two-step verification for all corporate WhatsApp accounts and deploy DNS filtering to block known NSO infrastructure. Meanwhile, AI hype is being weaponized for social engineering; configure email security to flag external emails with subjects containing “AI,” “ChatGPT,” or similar lures. In the CI/CD pipeline, a prompt injection flaw in the anthropic/claude-code-action GitHub Action could leak secrets. Review and update any workflows using this action to version 2.1 or later and enforce least-privilege permissions for GitHub tokens.

Prioritize patching Gogs above all else. For organizations that cannot patch immediately, implement strict network-level blocking for the Gogs web interface and review logs for signs of compromise. Finally, extend defensive scrutiny to your industrial control and CI/CD environments by blocking external PLC access and updating vulnerable GitHub Actions.