An unpatched critical RCE vulnerability in Gogs allows any authenticated user to execute OS commands with the privileges of the Gogs service account via argument injection through a maliciously crafted branch name in a git rebase operation. A public Metasploit module automates the full exploit chain. No vendor patch exists as of late May 2026, responsible disclosure occurred approximately March 2026, and no CVE identifier has been publicly assigned. All Gogs versions on all platforms are affected.