Go modules package
code.gitea.io/gitea
pkg:golang/code.gitea.io/gitea
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-20736 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | ||
| CVE-2026-0798 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing relea | ||
| CVE-2025-69413 | — | < 1.25.2 | 1.25.2 | Jan 1, 2026 | In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | ||
| CVE-2025-68946 | — | < 1.20.1 | 1.20.1 | Dec 26, 2025 | In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | ||
| CVE-2025-68945 | — | < 1.21.2 | 1.21.2 | Dec 26, 2025 | In Gitea before 1.21.2, an anonymous user can visit a private user's project. | ||
| CVE-2025-68944 | — | < 1.22.2 | 1.22.2 | Dec 26, 2025 | Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. | ||
| CVE-2025-68943 | — | < 1.21.8 | 1.21.8 | Dec 26, 2025 | Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. | ||
| CVE-2025-68942 | — | < 1.22.2 | 1.22.2 | Dec 26, 2025 | Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | ||
| CVE-2025-68941 | — | < 1.22.3 | 1.22.3 | Dec 26, 2025 | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | ||
| CVE-2025-68940 | — | < 1.22.5 | 1.22.5 | Dec 26, 2025 | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | ||
| CVE-2025-68939 | — | >= 0 | — | Dec 26, 2025 | Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. | ||
| CVE-2025-68938 | — | < 1.25.2 | 1.25.2 | Dec 26, 2025 | Gitea before 1.25.2 mishandles authorization for deletion of releases. | ||
| CVE-2024-6886 | Cri | — | < 1.22.1 | 1.22.1 | Aug 6, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0. | |
| CVE-2022-38795 | — | < 1.17.2 | 1.17.2 | Aug 7, 2023 | In Gitea through 1.17.1, repo cloning can occur in the migration function. | ||
| CVE-2023-3515 | — | < 1.19.4 | 1.19.4 | Jul 5, 2023 | Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4. | ||
| CVE-2022-38183 | — | < 1.16.9 | 1.16.9 | Aug 12, 2022 | In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to | ||
| CVE-2022-1928 | — | < 1.16.9 | 1.16.9 | May 29, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9. | ||
| CVE-2022-30781 | — | < 1.16.7 | 1.16.7 | May 16, 2022 | Gitea before 1.16.7 does not escape git fetch remote. | ||
| CVE-2022-27313 | — | < 1.16.4 | 1.16.4 | May 3, 2022 | An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file. | ||
| CVE-2022-1058 | — | < 1.16.5 | 1.16.5 | Mar 24, 2022 | Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5. |
- CVE-2026-20736Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
- CVE-2026-0798Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing relea
- CVE-2025-69413Jan 1, 2026affected < 1.25.2fixed 1.25.2
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
- CVE-2025-68946Dec 26, 2025affected < 1.20.1fixed 1.20.1
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
- CVE-2025-68945Dec 26, 2025affected < 1.21.2fixed 1.21.2
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
- CVE-2025-68944Dec 26, 2025affected < 1.22.2fixed 1.22.2
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
- CVE-2025-68943Dec 26, 2025affected < 1.21.8fixed 1.21.8
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
- CVE-2025-68942Dec 26, 2025affected < 1.22.2fixed 1.22.2
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
- CVE-2025-68941Dec 26, 2025affected < 1.22.3fixed 1.22.3
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
- CVE-2025-68940Dec 26, 2025affected < 1.22.5fixed 1.22.5
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
- CVE-2025-68939Dec 26, 2025affected >= 0
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
- CVE-2025-68938Dec 26, 2025affected < 1.25.2fixed 1.25.2
Gitea before 1.25.2 mishandles authorization for deletion of releases.
- affected < 1.22.1fixed 1.22.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
- CVE-2022-38795Aug 7, 2023affected < 1.17.2fixed 1.17.2
In Gitea through 1.17.1, repo cloning can occur in the migration function.
- CVE-2023-3515Jul 5, 2023affected < 1.19.4fixed 1.19.4
Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.
- CVE-2022-38183Aug 12, 2022affected < 1.16.9fixed 1.16.9
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to
- CVE-2022-1928May 29, 2022affected < 1.16.9fixed 1.16.9
Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.
- CVE-2022-30781May 16, 2022affected < 1.16.7fixed 1.16.7
Gitea before 1.16.7 does not escape git fetch remote.
- CVE-2022-27313May 3, 2022affected < 1.16.4fixed 1.16.4
An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.
- CVE-2022-1058Mar 24, 2022affected < 1.16.5fixed 1.16.5
Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.
Page 1 of 2