Self-hosted Git servers rarely make front-page news. Yet one flaw in Gogs has security teams reviewing every internal deployment this week. An authenticated attacker can achieve remote code execution on the host simply by opening a pull request. No administrator rights required. No victim interaction. And, as of May 29, 2026, no patch exists. The vulnerability carries a 9.4 CVSS score. It stems from argument injection into git rebase . Researchers discovered it months ago. The project maintainers received the report on March 17. They acknowledged receipt. Then silence. Rapid7 researcher Jonah Burgess laid out the mechanics in detail. “The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the ‘Rebase before merging’ merge operation,” he said. ( Rapid7 ) Short and simple. The attack lives inside the attacker’s own repository.…