Gogs

gogs.io

Awesome Privacy ➔ Development ➔ Code Hosting ➔ Gogs

Lightweight self-hosted git platform, written in Go.

Homepage: gogs.io
GitHub: github.com/gogs/gogs
Web info: web-check.xyz/check/gogs.io

Open Source

Gogs Source Code

Author

gogs

Description

The painless way to host your own Git service

#docker#git#go#gogs#mysql#postgresql#raspberry-pi#self-hosted#source-code-management#sqlite3#version-control

Homepage

https://gogs.io

License

MIT

Created

12 Feb 14

Last Updated

17 Jun 26

Latest version

v0.14.3

Primary Language

Size

212,424 KB

Stars

47,609

Forks

5,070

Watchers

47,609

Language Usage

Star History

Top Contributors

Recent Commits

dependabot[bot] (16 Jun 26)
chore(deps-dev): bump vite from 8.0.13 to 8.0.16 (#8367) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ᴊᴏᴇ ᴄʜᴇɴ (10 Jun 26)
web: remove the install page (#8350)
ᴊᴏᴇ ᴄʜᴇɴ (08 Jun 26)
web: use a single landing banner for light and dark mode (#8344)
ᴊᴏᴇ ᴄʜᴇɴ (08 Jun 26)
chore: update SHA256 checksum link in release issue templates (#8345) [skip ci]
ᴊᴏᴇ ᴄʜᴇɴ (08 Jun 26)
fix: surface 5xx errors in the SPA boot and route loaders (#8343)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
release: cut CHANGELOG entries for 0.14.3 (#8338) [skip ci]
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
chore: update CHANGELOG for removed custom templates [skip ci]
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: require token auth for org metadata and team list (#8336)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: time out stalled SSH handshakes after 15s (#8335)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: reject path traversal in owner and repository names (#8334)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: verify content hash on LFS dedupe shortcut (#8333)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: walk full upload path for symlinks (#8332)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: harden Git HTTP access checks (#8331)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: upgrade notebookjs and route ipynb HTML through DOMPurify (#8330)
ᴊᴏᴇ ᴄʜᴇɴ (07 Jun 26)
security: enforce RESET_PASSWORD_CODE_LIVES on reset tokens (#8328)
ᴊᴏᴇ ᴄʜᴇɴ (06 Jun 26)
security: require admin for repo settings API endpoints (#8327)
ᴊᴏᴇ ᴄʜᴇɴ (06 Jun 26)
security: restrict ipynb sanitizer to safe image data URIs (#8326)
ᴊᴏᴇ ᴄʜᴇɴ (06 Jun 26)
security: sanitize milestone names in new issue form (#8325)
Jonah Burgess (06 Jun 26)
security: fix argument injection in pull request merge (rebase) (#8301) Co-authored-by: Jonah Burgess <[email protected]> Co-authored-by: Joe Chen <[email protected]>
ᴊᴏᴇ ᴄʜᴇɴ (06 Jun 26)
security: close SSRF in repository migration and recurring mirror sync (#8324)
E99p1ant (06 Jun 26)
database: bound collaboration access mode by `min(actor, admin)` (#8227) Co-authored-by: Joe Chen <[email protected]>
ᴊᴏᴇ ᴄʜᴇɴ (05 Jun 26)
security: harden same-site URL check against redirect bypass (#8322)
E99p1ant (05 Jun 26)
repository: validate remote address on mirror address update (#8225) Signed-off-by: E99p1ant <[email protected]> Co-authored-by: Joe Chen <[email protected]>
Joe Chen (05 Jun 26)
chore: update agents matter
ᴊᴏᴇ ᴄʜᴇɴ (05 Jun 26)
security: require POST for org team and member actions (#8321)
ᴊᴏᴇ ᴄʜᴇɴ (04 Jun 26)
security: enforce repo access on attachment download (#8320)
ᴊᴏᴇ ᴄʜᴇɴ (04 Jun 26)
security: upgrade marked.js to 4.3.0 (#8319)
ᴊᴏᴇ ᴄʜᴇɴ (03 Jun 26)
web: enable @pierre/diffs worker pool to fix blank flashes on fast diff scroll (#8317)
Robert Silén (03 Jun 26)
docs: document MariaDB support (#8260) Co-authored-by: ᴊᴏᴇ ᴄʜᴇɴ <[email protected]>
ᴊᴏᴇ ᴄʜᴇɴ (03 Jun 26)
chore: delete digitalocean_gc workflow (#8315)

Gogs Security

5.6/10

Repo Security Summary

Updated 01 Jun 26

Code-Review 0/10
Maintained 10/10
Security-Policy 10/10
CII-Best-Practices 0/10
Dangerous-Workflow 10/10
Token-Permissions 0/10
Binary-Artifacts 8/10
License 10/10
Fuzzing 0/10
Branch-Protection N/A
Signed-Releases 0/10
Pinned-Dependencies 8/10
Packaging 10/10
SAST 7/10

Security Advisories (41)

high Patched CVSS 7.3

CVE-2026-26276 DOM-based XSS via milestone selection

05 Mar 26
medium Patched

CVE-2026-26196 Access tokens get exposed through URL params in API requests

05 Mar 26
medium Patched

CVE-2026-26195 Stored XSS in branch and wiki views through author and committer names

05 Mar 26
high Patched

CVE-2026-26194 Release tag option injection in release deletion

05 Mar 26
high Patched CVSS 8.7

CVE-2026-26022 Stored XSS via data URI in issue comments

05 Mar 26
medium Patched

CVE-2026-25229 Authorization bypass allows cross-repository label modification

14 Feb 26
medium Patched

CVE-2026-25120 Cross-repository comment deletion

14 Feb 26
medium Patched CVSS 6.5

CVE-2026-23633 Arbitrary file read/write via path traversal in Git hook editing

06 Feb 26
medium Patched CVSS 6.5

CVE-2026-23632 Update repository content via API with read-only permission

06 Feb 26
high Patched

CVE-2026-24135 Arbitrary file deletion via path traversal in wiki page update

06 Feb 26
medium Patched CVSS 6.5

CVE-2026-22592 DoS in repository mirror sync

06 Feb 26
critical Patched

CVE-2026-25232 Protected branch bypass in web UI

14 Feb 26
medium Patched

CVE-2025-65852 Authorization bypass in repository deletion API

06 Feb 26
high Patched CVSS 7.3

GHSA-26gq-grmh-6xm6 Stored XSS via Mermaid diagrams

06 Feb 26
medium Patched

CVE-2026-25242 Unauthenticated file upload

14 Feb 26
high Patched

CVE-2025-64175 2FA bypass via recovery code

06 Feb 26
critical Patched

CVE-2025-64111 RCE in repository put contents API

06 Feb 26
critical Patched CVSS 10

CVE-2024-56731 Deletion of internal files allows remote command execution

24 Jun 25
high Patched CVSS 7.7

CVE-2024-39933 Argument Injection when tagging new releases

23 Dec 24
critical Patched CVSS 9.9

CVE-2024-39932 Argument Injection during changes preview

23 Dec 24
critical Patched CVSS 9.9

CVE-2024-39931 Deletion of internal files

23 Dec 24
critical Patched CVSS 9.9

CVE-2024-39930 Argument Injection in the built-in SSH server

23 Dec 24
critical Patched

CVE-2024-55947 Path Traversal in file update API

23 Dec 24
critical Patched

CVE-2024-54148 Path Traversal in file editing UI

23 Dec 24
critical Patched CVSS 9.3

CVE-2026-25921 Cross-repository LFS object overwrite via missing content hash verification

05 Mar 26
medium Patched CVSS 6.3

CVE-2025-47943 Stored XSS in PDF renderer

24 Jun 25
high Patched CVSS 8.5

CVE-2026-52797 Overwriting critical files results in a denial of service

03 Jun 26
critical Patched

CVE-2022-2024 OS Command Injection in repo editor on case-insensitive file systems

25 Feb 23
critical Patched

CVE-2022-32174 Stored XSS Assignee

25 Feb 23
high Patched

CVE-2022-1993 Path Traversal in Git HTTP endpoints

08 Jun 22
critical Patched

CVE-2022-1992 Path Traversal in file editor on Windows

08 Jun 22
medium Patched

CVE-2022-31038 XSS vulnerability in repository issue list

08 Jun 22
critical Patched

CVE-2022-1986 OS Command Injection in file editor

08 Jun 22
critical Patched

CVE-2021-32546 Remote Command Execution in file editing

31 May 22
critical Patched

CVE-2022-1884 OS Command Injection in file uploading

31 May 22
low Patched

GHSA-pj96-4jhv-v792 XSS in cookies

31 May 22
high Patched

CVE-2022-1285 SSRF in webhook

31 May 22
medium Patched

CVE-2022-1464 Stored XSS in issues

05 May 22
critical Patched

CVE-2022-0415 Remote command execution in file uploading

21 Mar 22
medium Patched

CVE-2022-0870 SSRF in repository migration

12 Mar 22
medium Patched

CVE-2022-0871 Improper PAM authorization handling

12 Mar 22

Gogs Website

Website

Introduction - Gogs: A painless self-hosted Git service

The painless way to host your own Git service

Redirects

Redirects to https://gogs.io/getting-started/introduction

Security Checks

All 65 security checks passed

Server Details

IP Address 76.76.21.21
Location Walnut, California, United States of America, NA
ISP Vercel Inc
ASN AS16509

Associated Countries

Safety Score

Website marked as safe

100%

Blacklist Check

gogs.io was found on 0 blacklists

AntiSocial Blacklist
Artists Against 419
Badbitcoin
Bambenek Consulting
CERT Polska
CoinBlockerLists
CRDF
CryptoScamDB
EtherAddressLookup
EtherScamDB
Fake Website Buster
MetaMask EthPhishing
NABP Not Recommended Sites
OpenPhish
PetScams
PhishFeed
PhishFort
Phishing.Database
PhishStats
PhishTank
Phishunt
RPiList Not Serious
Scam.Directory
SecureReload Phishing List
Spam404
StopGunScams
Suspicious Hosting IP
ThreatFox
ThreatLog
TweetFeed
URLhaus
ViriBack C2 Tracker

Website Preview

View full report at web-check.xyz

Gogs Reviews

More Code Hosting

Codeberg
codeberg.org

A fully-managed instance of Forgejo.

Open Source codeberg.org/forgejo/forgejo

View Codeberg Report
Gitea
gitea.io

Lightweight self-hosted git platform, written in Go.

Open Source go-gitea/gitea

View Gitea Report
GitLab
gitlab.com

Fully-featured git, CI and project management platform. Managed instance available, but can also be self-hosted.

Open Source Source

View GitLab Report
SourceHut
sourcehut.org

Git and mercurial code hosting, task management, mailing lists, wiki hosting and Alpine-based build pipelines. Can be self-hosted, or used through the managed instance at sr.ht.

Open Source Source

View SourceHut Report

About the Data: Gogs

Change History

Amended Jun 10, 2026 (github) by @lissy93 #608

API

You can access Gogs's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/v1/services/gogs

The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.

Share Gogs

Help your friends compare Code Hosting, and pick privacy-respecting software and services.
Share Gogs and Awesome Privacy with your network!

← Previous

Gitea

View Code Hosting (5)