From 6b776e149f1d04c372124e3bd47b1644e4a485a4 Mon Sep 17 00:00:00 2001
From: WRG-11 <281155251+WRG-11@users.noreply.github.com>
Date: Tue, 2 Jun 2026 06:07:23 +0300
Subject: [PATCH 1/5] feat: add Gogs rebase RCE argument injection detection
 rule (Linux)

---
 ...lnx_gogs_rebase_rce_argument_injection.yml | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
new file mode 100644
index 00000000000..548f7bcc6ad
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
@@ -0,0 +1,45 @@
+---
+title: Gogs Rebase Argument Injection RCE via Git Exec Flag
+id: c1c6a4a7-9795-5282-80c7-11da044740ae
+status: experimental
+description: |
+    Detects the Gogs authenticated argument-injection RCE (CWE-88, CVSSv4 9.4, unpatched as of
+    disclosure) in which a pull request with a malicious base-branch name injects an --exec flag
+    into the git rebase that Gogs runs during "Rebase before merging". Because the base branch
+    name is passed to git rebase without a -- separator, a branch named like --exec=<cmd> is
+    interpreted by git as a flag and the command runs via sh -c as the Gogs server user.
+    A public Metasploit module exists (multi/http/gogs_rebase_rce). Only authenticated users
+    need be an attacker; on instances with open registration that means any user.
+    The 0-FP discriminator is the parent process: the exploit launches git rebase from the Gogs
+    server process, whereas a legitimate git rebase --exec from a developer shell or CI runner
+    has a non-gogs parent and does not match.
+references:
+    - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
+    - https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
+author: WRG-11
+date: 2026-06-01
+tags:
+    - attack.execution
+    - attack.initial-access
+    - attack.t1059
+    - attack.t1190
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_git_rebase:
+        Image|endswith: '/git'
+        CommandLine|contains: 'rebase'
+    selection_exec_injection:
+        CommandLine|contains:
+            - '--exec'
+            - ' -x '
+    selection_gogs_parent:
+        ParentImage|endswith: '/gogs'
+    condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent
+falsepositives:
+    - Very low by design. A legitimate git rebase --exec from a developer shell, IDE, or CI runner
+      has a non-gogs parent and will not match. If a deployment intentionally scripts git rebase
+      --exec as the gogs service user (uncommon), add a CommandLine allowlist for that specific
+      command after field-testing.
+level: critical

From 18054243b370c24f6e66d5872257230451588835 Mon Sep 17 00:00:00 2001
From: WRG-11 <281155251+WRG-11@users.noreply.github.com>
Date: Tue, 2 Jun 2026 06:20:53 +0300
Subject: [PATCH 2/5] fix: express falsepositives as a concrete scenario per
 SigmaHQ convention

---
 ...roc_creation_lnx_gogs_rebase_rce_argument_injection.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
index 548f7bcc6ad..afe0a29a598 100644
--- a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
@@ -38,8 +38,7 @@ detection:
         ParentImage|endswith: '/gogs'
     condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent
 falsepositives:
-    - Very low by design. A legitimate git rebase --exec from a developer shell, IDE, or CI runner
-      has a non-gogs parent and will not match. If a deployment intentionally scripts git rebase
-      --exec as the gogs service user (uncommon), add a CommandLine allowlist for that specific
-      command after field-testing.
+    - A deployment that intentionally runs 'git rebase --exec' as the Gogs service user (for example
+      a scripted maintenance task); add a CommandLine allowlist for that specific command after
+      field-testing.
 level: critical

From 0b37e2883fdf5a65206b8f10df939ea1f0e09db6 Mon Sep 17 00:00:00 2001
From: WRG-11 <281155251+WRG-11@users.noreply.github.com>
Date: Tue, 2 Jun 2026 12:17:56 +0300
Subject: [PATCH 3/5] style: drop forbidden YAML document-start marker (SigmaHQ
 yamllint document-start present:false)

---
 .../proc_creation_lnx_gogs_rebase_rce_argument_injection.yml     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
index afe0a29a598..430e84b01bf 100644
--- a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
@@ -1,4 +1,3 @@
----
 title: Gogs Rebase Argument Injection RCE via Git Exec Flag
 id: c1c6a4a7-9795-5282-80c7-11da044740ae
 status: experimental

From 2e3fe6d2e36d2fcf9280b1261e7aa653a0826598 Mon Sep 17 00:00:00 2001
From: WinstonRedGuard <281155251+WRG-11@users.noreply.github.com>
Date: Fri, 12 Jun 2026 19:41:57 +0300
Subject: [PATCH 4/5] Add detection rule for CVE-2026-52806 exploitation

This rule detects exploitation of CVE-2026-52806 in Gogs through argument injection in git rebase commands.
---
 ...oc_creation_lnx_exploit_cve_2026_52806.yml | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml

diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml
new file mode 100644
index 00000000000..71df092cf03
--- /dev/null
+++ b/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml
@@ -0,0 +1,46 @@
+title: Potential CVE-2026-52806 Exploitation - Gogs Rebase Argument Injection RCE
+id: c1c6a4a7-9795-5282-80c7-11da044740ae
+status: experimental
+description: |
+    Detects exploitation of CVE-2026-52806, an authenticated argument-injection remote code execution
+    (CWE-88, CVSSv4 9.4) in Gogs. A pull request with a malicious base-branch name injects an --exec flag
+    into the git rebase that Gogs runs during "Rebase before merging". Because the base branch name is passed
+    to git rebase without a -- separator, a branch named like --exec=<cmd> is interpreted by git as a flag and
+    the command runs via sh -c as the Gogs server user. Any authenticated user can exploit it; on instances
+    with open registration (the default) that means any user. A public Metasploit module exists
+    (multi/http/gogs_rebase_rce). Fixed in Gogs 0.14.3. The 0-FP discriminator is the parent process: the
+    exploit launches git rebase from the Gogs server process, whereas a legitimate git rebase --exec from a
+    developer shell or CI runner has a non-gogs parent and does not match.
+references:
+    - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
+    - https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
+    - https://github.com/gogs/gogs/pull/8301
+author: WRG-11
+date: 2026-06-01
+modified: 2026-06-12
+tags:
+    - attack.execution
+    - attack.initial-access
+    - attack.t1059
+    - attack.t1190
+    - detection.emerging-threats
+    - cve.2026-52806
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_git_rebase:
+        Image|endswith: '/git'
+        CommandLine|contains: 'rebase'
+    selection_exec_injection:
+        CommandLine|contains:
+            - '--exec'
+            - ' -x '
+    selection_gogs_parent:
+        ParentImage|endswith: '/gogs'
+    condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent
+falsepositives:
+    - A deployment that intentionally runs 'git rebase --exec' as the Gogs service user (for example
+      a scripted maintenance task); add a CommandLine allowlist for that specific command after
+      field-testing.
+level: critical

From b80a7c640c82978a52e1d0fbb59d88a4db75de68 Mon Sep 17 00:00:00 2001
From: WinstonRedGuard <281155251+WRG-11@users.noreply.github.com>
Date: Fri, 12 Jun 2026 19:42:44 +0300
Subject: [PATCH 5/5] Delete
 rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml

---
 ...lnx_gogs_rebase_rce_argument_injection.yml | 43 -------------------
 1 file changed, 43 deletions(-)
 delete mode 100644 rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml b/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
deleted file mode 100644
index 430e84b01bf..00000000000
--- a/rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce_argument_injection.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Gogs Rebase Argument Injection RCE via Git Exec Flag
-id: c1c6a4a7-9795-5282-80c7-11da044740ae
-status: experimental
-description: |
-    Detects the Gogs authenticated argument-injection RCE (CWE-88, CVSSv4 9.4, unpatched as of
-    disclosure) in which a pull request with a malicious base-branch name injects an --exec flag
-    into the git rebase that Gogs runs during "Rebase before merging". Because the base branch
-    name is passed to git rebase without a -- separator, a branch named like --exec=<cmd> is
-    interpreted by git as a flag and the command runs via sh -c as the Gogs server user.
-    A public Metasploit module exists (multi/http/gogs_rebase_rce). Only authenticated users
-    need be an attacker; on instances with open registration that means any user.
-    The 0-FP discriminator is the parent process: the exploit launches git rebase from the Gogs
-    server process, whereas a legitimate git rebase --exec from a developer shell or CI runner
-    has a non-gogs parent and does not match.
-references:
-    - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
-    - https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
-author: WRG-11
-date: 2026-06-01
-tags:
-    - attack.execution
-    - attack.initial-access
-    - attack.t1059
-    - attack.t1190
-logsource:
-    category: process_creation
-    product: linux
-detection:
-    selection_git_rebase:
-        Image|endswith: '/git'
-        CommandLine|contains: 'rebase'
-    selection_exec_injection:
-        CommandLine|contains:
-            - '--exec'
-            - ' -x '
-    selection_gogs_parent:
-        ParentImage|endswith: '/gogs'
-    condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent
-falsepositives:
-    - A deployment that intentionally runs 'git rebase --exec' as the Gogs service user (for example
-      a scripted maintenance task); add a CommandLine allowlist for that specific command after
-      field-testing.
-level: critical