rce2 articles
Unpatched RCE Flaw in Gogs Has a Metasploit Module and Zero Response From Maintainers
A critical remote code execution vulnerability (CVSS 9.4) has been discovered in Gogs, a popular open-source self-hosted Git service, allowing any authenticated user to fully compromise servers, steal credentials, or tamper with code repositories. Rapid7 researcher Jonah Burgess reported the flaw to Gogs maintainers in March 2026, but despite initial acknowledgement, they have not responded since and no patch exists, while a public Metasploit exploit module has now been released. Users are advised to disable open registration, restrict repository creation, and turn off the "Rebase before merging" setting as interim mitigations until an official fix is available.
ChromaDB Has an Unpatched RCE Flaw and Its Developers Aren't Picking Up the Phone
An unpatched remote code execution vulnerability (CVE-2026-45829, dubbed "ChromaToast") in ChromaDB allows unauthenticated attackers to gain full shell access to a server by supplying a malicious HuggingFace model identifier, which the server downloads and executes *before* performing any authentication checks. The flaw affects all ChromaDB versions since 1.0.0 and approximately 73% of internet-accessible deployments, potentially exposing sensitive data such as API keys, environment variables, and files. Despite multiple disclosure attempts by both HiddenLayer (from February 2025) and an independent researcher (from November 2025), Chroma has not responded or issued a patch as of version 1.5.8, leaving administrators to mitigate the risk by restricting network access to trusted clients only.