Forgejo disclosure alleges RCE, takeover, leaks

This reads like a high-signal security warning rather than a routine bug report: the author is explicitly saying the codebase is deep enough that one evening of digging produced an RCE chain, which is a bad look for a platform that now sits in critical infrastructure workflows.

• –The disclosure is framed as a “carrot disclosure,” meaning the author is intentionally withholding full exploit details to force a broader fix response.
• –The alleged impact is serious: RCE, secret leakage, persistent access, and OAuth2 privilege escalation.
• –The post calls out multiple classes of weakness, suggesting systemic hardening gaps rather than a single isolated bug.
• –Because the author reports a non-default configuration dependency for the RCE, the practical risk may vary by deployment, but the security posture concern is still substantial.