CVE-2026-24135 is a low severity vulnerability with a CVSS score of 0.0. Active exploits exist with no official patch available - immediate mitigation is required.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A Path Traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form.
The vulnerability is located in internal/database/wiki.go. When updating a wiki page, the application accepts an old_title parameter to identify the potential rename operation. This parameter is used directly in path.Join and os.Remove without proper sanitization.
Code snippet from internal/database/wiki.go:
// Line 114
os.Remove(path.Join(localPath, oldTitle+".md"))
If an attacker provides a path traversal sequence (e.g., ../../../../target) as old_title, the os.Remove function will resolve the path relative to the wiki's local directory and delete the target file. The vulnerability is limited to deleting files that end with .md (due to the appended extension), but depending on the filesystem and specific path.Join behavior, or if critical .md files exist (e.g. documentation, other wikis), the impact is significant. Additionally, in some contexts, the extension might be bypassed or ignored.
Sanitize the oldTitle parameter using ToWikiPageName (or path.Clean and basename validation) before using it in file operations, similar to how the new title is currently handled.
// Recommended Fix
if oldTitle != "" {
oldTitle = ToWikiPageName(oldTitle)
}
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
POST request to /repo/wiki/edit.old_title parameter to ../../../../tmp/target_file./tmp/target_file.md is deleted from the server.