Bitnami package
gitea
pkg:bitnami/gitea
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-20912 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | ||
| CVE-2026-20904 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | ||
| CVE-2026-20897 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | ||
| CVE-2026-20888 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | ||
| CVE-2026-20883 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | ||
| CVE-2026-20800 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | ||
| CVE-2026-20750 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | ||
| CVE-2026-20736 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | ||
| CVE-2026-0798 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing relea | ||
| CVE-2025-69413 | — | < 1.25.2 | 1.25.2 | Jan 1, 2026 | In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | ||
| CVE-2025-68946 | — | < 1.20.1 | 1.20.1 | Dec 26, 2025 | In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | ||
| CVE-2025-68945 | — | < 1.21.2 | 1.21.2 | Dec 26, 2025 | In Gitea before 1.21.2, an anonymous user can visit a private user's project. | ||
| CVE-2025-68944 | — | < 1.22.2 | 1.22.2 | Dec 26, 2025 | Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. | ||
| CVE-2025-68943 | — | < 1.21.8 | 1.21.8 | Dec 26, 2025 | Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. | ||
| CVE-2025-68942 | — | < 1.22.2 | 1.22.2 | Dec 26, 2025 | Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | ||
| CVE-2025-68941 | — | < 1.22.3 | 1.22.3 | Dec 26, 2025 | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | ||
| CVE-2025-68940 | — | < 1.22.5 | 1.22.5 | Dec 26, 2025 | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | ||
| CVE-2025-68939 | — | < 1.23.0 | 1.23.0 | Dec 26, 2025 | Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. | ||
| CVE-2025-68938 | — | < 1.25.2 | 1.25.2 | Dec 26, 2025 | Gitea before 1.25.2 mishandles authorization for deletion of releases. | ||
| CVE-2022-38795 | — | < 1.17.2 | 1.17.2 | Aug 7, 2023 | In Gitea through 1.17.1, repo cloning can occur in the migration function. |
- CVE-2026-20912Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
- CVE-2026-20904Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
- CVE-2026-20897Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
- CVE-2026-20888Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
- CVE-2026-20883Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
- CVE-2026-20800Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
- CVE-2026-20750Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
- CVE-2026-20736Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
- CVE-2026-0798Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing relea
- CVE-2025-69413Jan 1, 2026affected < 1.25.2fixed 1.25.2
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
- CVE-2025-68946Dec 26, 2025affected < 1.20.1fixed 1.20.1
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
- CVE-2025-68945Dec 26, 2025affected < 1.21.2fixed 1.21.2
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
- CVE-2025-68944Dec 26, 2025affected < 1.22.2fixed 1.22.2
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
- CVE-2025-68943Dec 26, 2025affected < 1.21.8fixed 1.21.8
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
- CVE-2025-68942Dec 26, 2025affected < 1.22.2fixed 1.22.2
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
- CVE-2025-68941Dec 26, 2025affected < 1.22.3fixed 1.22.3
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
- CVE-2025-68940Dec 26, 2025affected < 1.22.5fixed 1.22.5
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
- CVE-2025-68939Dec 26, 2025affected < 1.23.0fixed 1.23.0
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
- CVE-2025-68938Dec 26, 2025affected < 1.25.2fixed 1.25.2
Gitea before 1.25.2 mishandles authorization for deletion of releases.
- CVE-2022-38795Aug 7, 2023affected < 1.17.2fixed 1.17.2
In Gitea through 1.17.1, repo cloning can occur in the migration function.
Page 1 of 3