[2026-07-01T14:26:29Z] vuln_commit=5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb fixed_commit=3ba8aca90e17e5410b7e8b227c9f29256ac3e875 repo=/data/pruva/project-cache/434d5a1b-91bf-4625-a029-d1d766c01877/repo [2026-07-01T14:26:29Z] building vuln at 5dcb6c64b [2026-07-01T14:27:17Z] vuln built: Gogs version 0.14.2 [2026-07-01T14:27:17Z] building fixed at 3ba8aca90 [2026-07-01T14:27:25Z] fixed built: Gogs version 0.14.3 [2026-07-01T14:27:25Z] === run_one vuln/1 (port 33181) === [2026-07-01T14:27:27Z] vuln/1: writer id=1 localcopy=/workspace/artifacts/8363606b-ffb6-4671-bf5d-9a7a6060953e/bundle/artifacts/gogs-cve-2026-52813/run-vuln-1/data/tmp/local-r/1 [2026-07-01T14:27:30Z] vuln/1: org=201 repo=201 nested=yes planted=yes rce=yes [2026-07-01T14:27:30Z] === run_one vuln/2 (port 33182) === [2026-07-01T14:27:35Z] vuln/2: writer id=1 localcopy=/workspace/artifacts/8363606b-ffb6-4671-bf5d-9a7a6060953e/bundle/artifacts/gogs-cve-2026-52813/run-vuln-2/data/tmp/local-r/1 [2026-07-01T14:27:37Z] vuln/2: org=201 repo=201 nested=yes planted=yes rce=yes [2026-07-01T14:27:38Z] === run_one fixed/1 (port 33183) === [2026-07-01T14:27:40Z] fixed/1: writer id=1 localcopy=/workspace/artifacts/8363606b-ffb6-4671-bf5d-9a7a6060953e/bundle/artifacts/gogs-cve-2026-52813/run-fixed-1/data/tmp/local-r/1 [2026-07-01T14:27:42Z] fixed/1: org=422 repo=500 nested=no planted=no rce=no [2026-07-01T14:27:42Z] === run_one fixed/2 (port 33184) === [2026-07-01T14:27:44Z] fixed/2: writer id=1 localcopy=/workspace/artifacts/8363606b-ffb6-4671-bf5d-9a7a6060953e/bundle/artifacts/gogs-cve-2026-52813/run-fixed-2/data/tmp/local-r/1 [2026-07-01T14:27:45Z] fixed/2: org=422 repo=500 nested=no planted=no rce=no CVE-2026-52813 — Gogs path traversal in organization name -> RCE via Git hooks vulnerable_commit=5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb (v0.14.2) fixed_commit=3ba8aca90e17e5410b7e8b227c9f29256ac3e875 (v0.14.3) vulnerable_successful_attempts=2 (of 2) # each: org 201 + nested repo outside ROOT + executable hook planted + RCE marker written fixed_negative_control_attempts=2 (of 2) # each: org creation rejected (422), no nested repo, no RCE observed_impact=code_execution [2026-07-01T14:27:46Z] VERDICT: 2/2 vulnerable RCE confirmed, 2/2 fixed negative control passed