Symlink bug in Gogs lets attacker commit a repo with a symlink pointing to a system file, and then Gogs will access the file under its own permissions I guess. Not good. Gogs should only run as an untrusted user though anyway.

Article doesn’t say whether Gitea or Forgejo (both Gogs descendants) have the same bug.

Gogs, Gitea, and Forgejo are all Git forges (like Gitlab, basically a self-hosted Github-like web app) for those not familiar.