Go modules package
github.com/go-gitea/gitea
pkg:golang/github.com/go-gitea/gitea
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-20912 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | ||
| CVE-2026-20904 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | ||
| CVE-2026-20897 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | ||
| CVE-2026-20888 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | ||
| CVE-2026-20883 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | ||
| CVE-2026-20800 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | ||
| CVE-2026-20750 | — | < 1.25.4 | 1.25.4 | Jan 22, 2026 | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | ||
| CVE-2022-42968 | — | < 1.17.3 | 1.17.3 | Oct 16, 2022 | Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled. | ||
| CVE-2021-45329 | — | < 1.5.1 | 1.5.1 | Feb 8, 2022 | Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field. | ||
| CVE-2021-45328 | — | < 1.4.3 | 1.4.3 | Feb 8, 2022 | Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs. | ||
| CVE-2021-45327 | — | < 1.11.2 | 1.11.2 | Feb 8, 2022 | Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code. | ||
| CVE-2021-45326 | — | < 1.5.2 | 1.5.2 | Feb 8, 2022 | Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests. | ||
| CVE-2021-45325 | — | < 1.7.0 | 1.7.0 | Feb 8, 2022 | Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL. | ||
| CVE-2021-3382 | — | >= 1.9.0, < 1.13.2 | 1.13.2 | Feb 5, 2021 | Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path. | ||
| CVE-2020-28991 | — | >= 0.9.99, < 1.12.6 | 1.12.6 | Nov 24, 2020 | Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go. | ||
| CVE-2020-13246 | — | < 1.12.0 | 1.12.0 | May 20, 2020 | An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another. | ||
| CVE-2019-11229 | — | < 1.7.6 | 1.7.6 | Apr 13, 2019 | models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. | ||
| CVE-2019-11228 | — | < 1.7.6 | 1.7.6 | Apr 13, 2019 | repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress. | ||
| CVE-2018-1000803 | — | < 1.5.1 | 1.5.1 | Oct 8, 2018 | Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if the |
- CVE-2026-20912Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
- CVE-2026-20904Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
- CVE-2026-20897Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
- CVE-2026-20888Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
- CVE-2026-20883Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
- CVE-2026-20800Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
- CVE-2026-20750Jan 22, 2026affected < 1.25.4fixed 1.25.4
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
- CVE-2022-42968Oct 16, 2022affected < 1.17.3fixed 1.17.3
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
- CVE-2021-45329Feb 8, 2022affected < 1.5.1fixed 1.5.1
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.
- CVE-2021-45328Feb 8, 2022affected < 1.4.3fixed 1.4.3
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
- CVE-2021-45327Feb 8, 2022affected < 1.11.2fixed 1.11.2
Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.
- CVE-2021-45326Feb 8, 2022affected < 1.5.2fixed 1.5.2
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
- CVE-2021-45325Feb 8, 2022affected < 1.7.0fixed 1.7.0
Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
- CVE-2021-3382Feb 5, 2021affected >= 1.9.0, < 1.13.2fixed 1.13.2
Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path.
- CVE-2020-28991Nov 24, 2020affected >= 0.9.99, < 1.12.6fixed 1.12.6
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
- CVE-2020-13246May 20, 2020affected < 1.12.0fixed 1.12.0
An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.
- CVE-2019-11229Apr 13, 2019affected < 1.7.6fixed 1.7.6
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
- CVE-2019-11228Apr 13, 2019affected < 1.7.6fixed 1.7.6
repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress.
- CVE-2018-1000803Oct 8, 2018affected < 1.5.1fixed 1.5.1
Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if the