This blog post introduced four unpatched vulnerabilities in Gogs, a popular open-source solution for hosting and managing source code. The vulnerabilities were discovered through an investigation of the code base of Gogs, which allows attackers to compromise vulnerable instances, enabling them to steal source code, plant code backdoors, wipe all code, and more. The most critical vulnerability, CVE-2024-39930, is an Argument Injection vulnerability in the built-in SSH server that can be exploited by sending a specially crafted environment variable. To protect against these vulnerabilities, Gogs users are advised to disable the built-in SSH server, turn off user registration, and apply patches created by the authors of this blog post. Additionally, the authors recommend switching to alternative source code hosting platforms like Gitea, which is more actively maintained and has already fixed similar vulnerabilities. The blog post concludes that the maintainers of Gogs have stopped responding to disclosures, leaving users with limited time to patch before the 90-day disclosure deadline expires.