Long-overdue update (May 31, 2026): This vulnerability was patched in Gogs 0.13.1, released on December 22, 2024. It turned out that the issue was previously reported in October 2023, nearly a year before my own report, and had likewise been ignored until the backlog of CVEs started to drum up attention. My overall recommendation still stands: don’t use Gogs; use Gitea or Forgejo. The Gogs self-hosted Git service is vulnerable to symbolic link path traversal that enables remote code execution (CVE-2024-44625)....