As per https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/, multiple critical and high CVEs were reported to Gogs maintainers in April 2023 but have not been addressed:

• Argument Injection in the built-in SSH server (CVE-2024-39930, CVSS 9.9 Critical)
• Argument Injection when tagging new releases (CVE-2024-39933, CVSS 7.7 High)
• Argument Injection during changes preview (CVE-2024-39932, CVSS 9.9 Critical)
• Deletion of internal files (CVE-2024-39931, CVSS 9.9 Critical)
• Remote code execution via web editor when editing and moving a symlink (CVE-2024-44625, I'm guessing CVSS ~8.8 High)

Is this project still alive? Strongly considering switching to Gitea where these issues are not present.