CVE-2025-8110

HIGHNVD 8.89.0▲Trending — 5 sources updated this weekExploited in the wild

8.8

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

CVSS v3: 8.8
EG Score: 9.0(high)
EPSS: 95.2%
KEV: ⚠ Exploited

Published

December 10, 2025

Last Modified

January 20, 2026

Advisory Details (9)

Auto-updated Jun 2, 2026

⚠️ Active exploitation confirmed. Patch available. Sources: github_commit, github_pr, cisa.

cisa Patch Available🔴 Active Exploitation

Known Exploited Vulnerabilities Catalog | CISA

Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110

github_pr

security: prevent symlink traversal in repository API

Upstream fix in progress (PR #8078 · gogs/gogs, state=closed)

https://github.com/gogs/gogs/pull/8078

github_commit

commit 553707f3fd5f (gogs/gogs)

Fix landed in gogs/gogs commit 553707f3fd5f — awaiting tagged release

https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6

generic

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

http://www.openwall.com/lists/oss-security/2026/01/18/2

generic🔴 Active Exploitation

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

http://www.openwall.com/lists/oss-security/2026/01/18/1

generic🔴 Active Exploitation

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

http://www.openwall.com/lists/oss-security/2026/01/17/4

generic

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

http://www.openwall.com/lists/oss-security/2025/12/11/4

generic

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

http://www.openwall.com/lists/oss-security/2025/12/11/3

generic🔴 Active Exploitation

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog

http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

Patch Availability(1)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
go	gogs.io/gogs	—	ghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-22Path Traversal

Data Freshness Timeline

(refreshed 20× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-03 13:29 UTCEG score recompute
2026-06-03 13:29 UTCGHSA enrichment
2026-06-03 09:20 UTCEG score recompute
2026-06-03 09:19 UTCGHSA enrichment
2026-06-03 05:10 UTCEG score recompute
2026-06-03 05:10 UTCGHSA enrichment
2026-06-03 01:01 UTCEG score recompute
2026-06-03 01:01 UTCGHSA enrichment
2026-06-02 20:52 UTCEG score recompute
2026-06-02 20:52 UTCGHSA enrichment
2026-06-02 20:13 UTCepss_batch
2026-06-02 18:32 UTCkev_newly_listed
2026-06-02 16:43 UTCEG score recompute
2026-06-02 16:43 UTCGHSA enrichment
2026-06-02 12:35 UTCEG score recompute
2026-06-02 12:35 UTCGHSA enrichment
2026-06-02 08:27 UTCEG score recompute
2026-06-02 08:27 UTCGHSA enrichment
2026-06-02 04:19 UTCEG score recompute
2026-06-02 04:19 UTCGHSA enrichment

Publicly available exploits

(7 references)

Working exploit code is in the public domain (6 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoCTYehan/CVE-2025-8110-Gogs-RCE-Exploit
First seen Apr 12, 2026
Gogs CVE-2025-8110 RCE Exploit
Open source ↗
GitHub PoCGhxstsec/CVE-2025-8110
First seen Apr 11, 2026
Open source ↗
GitHub PoCkayl22/cve-2025-8110-GOGS-RCE
First seen Apr 11, 2026
GOGS RCE cve-2025-8110 python script that automates the whole attack chain of creating a repository with a symlink file pointing to .git/config and then triggering rce via a poisoned sshCommand on the config file.
Open source ↗
GitHub PoC3jee/CVE-2025-8110
First seen Apr 11, 2026
CVE-2025-8110 — Gogs <= 0.13.3 Arbitrary File Write via Symlink Traversal in PutContents API
Open source ↗
GitHub PoCzAbuQasem/gogs-CVE-2025-8110
First seen Dec 13, 2025
CVE-2025-8110 PoC
Open source ↗
GitHub PoCrxerium/CVE-2025-8110
First seen Dec 11, 2025
Detection template for CVE-2025-8110
Open source ↗
Nucleihttp/cves/2025/CVE-2025-8110.yaml
First seen Jan 1, 2025
Gogs <= 0.13.3 - Remote Code Execution
Open source ↗

Frequently asked(6)

What is CVE-2025-8110?

CVE-2025-8110 is a high vulnerability published on December 10, 2025. Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

When was CVE-2025-8110 disclosed?

CVE-2025-8110 was first published in the National Vulnerability Database on December 10, 2025, with the most recent update on January 20, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2025-8110 actively exploited?

Yes. CISA added CVE-2025-8110 to the Known Exploited Vulnerabilities catalog on January 12, 2026, affecting Gogs Gogs. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

What is the CVSS score of CVE-2025-8110?

CVE-2025-8110 has a CVSS v3 base score of 8.8 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.

Which products are affected by CVE-2025-8110?

CVE-2025-8110 affects Gogs Gogs. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2025-8110?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2025-8110, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2025-8110

Explore →

Is Your Infrastructure Affected by CVE-2025-8110?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2025-8110

Published

Last Modified

Advisory Details (9)

Known Exploited Vulnerabilities Catalog | CISA

security: prevent symlink traversal in repository API

commit 553707f3fd5f (gogs/gogs)

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog

Patch Availability(1)

Weakness Classification(1)

Data Freshness Timeline

Publicly available exploits

Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2025-8110?

Same product

Same CWE

CVE-2025-8110

📅 Published

🔄 Last Modified

📋 Advisory Details (9)

Known Exploited Vulnerabilities Catalog | CISA

security: prevent symlink traversal in repository API

commit 553707f3fd5f (gogs/gogs)

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

oss-security - Re: CVE-2025-8110 in Gogs self-hosted git service

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited | Wiz Blog

Patch Availability(1)

Weakness Classification(1)

Data Freshness Timeline

Publicly available exploits

❓ Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2025-8110?

🔗 Related CVEs(same product + same CWE)

Same product

Same CWE

Published

Last Modified

Advisory Details (9)

Frequently asked(6)

Related CVEs(same product + same CWE)