Gogs Zero-Day Exposes Servers to Remote Code Execution

A critical zero-day in Gogs (CVSS 9.4) allows authenticated users to execute arbitrary code via malicious branch names in pull requests. The vulnerability exploits argument injection in the rebase merge operation. Any organization running self-hosted Gogs is at risk, and public exploits are already available.