Rapid7's Jonah Burgess has disclosed an unpatched argument-injection RCE in Gogs, the self-hosted Git service often used as a GitLab/GitHub Enterprise alternative. The flaw affects Gogs 0.14.2 and 0.15.0+dev and requires authentication, but Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no repository creation limits, so any internet-facing default-configured instance is effectively unauthenticated-exploitable: an attacker creates an account and repo, enables rebase merging in settings, and the entire exploit chain runs without third-party interaction. Code execution lands as the Gogs server-process user. No CVE has been assigned and no patch is available; mitigations involve disabling open registration.