Gitea
by Go Gitea
Source repositories
CVEs (55)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68937 | Cri | 0.62 | — | 0.00 | Dec 26, 2025 | Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later. | ||
| CVE-2024-6886 | Cri | 0.60 | — | 0.40 | Aug 6, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0. | ||
| CVE-2026-28737 | hig | 0.45 | — | — | Jun 17, 2026 | ## Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing… | ||
| CVE-2026-52807 | hig | 0.38 | — | 0.00 | Jun 23, 2026 | ### Summary The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any… | ||
| CVE-2026-24791 | hig | 0.38 | — | — | Jun 17, 2026 | ## Summary Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private… | ||
| CVE-2026-22555 | hig | 0.38 | — | — | Jun 17, 2026 | ## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization… | ||
| CVE-2026-26231 | hig | 0.38 | — | — | Jun 16, 2026 | ## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: … | ||
| CVE-2026-28699 | hig | 0.38 | — | — | Jun 16, 2026 | ### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and… | ||
| CVE-2026-28744 | hig | 0.38 | — | — | Jun 16, 2026 | ### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless… | ||
| CVE-2019-11229 | 0.07 | — | 0.56 | Apr 13, 2019 | models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. | |||
| CVE-2022-30781 | 0.03 | — | 0.88 | May 16, 2022 | Gitea before 1.16.7 does not escape git fetch remote. | |||
| CVE-2026-25779 | 0.00 | — | — | Jun 17, 2026 | ### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. ### PoC When a user uses this URL to login: … | |||
| CVE-2026-20706 | 0.00 | — | — | Jun 16, 2026 | ## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2… | |||
| CVE-2026-27783 | 0.00 | — | — | Jun 16, 2026 | ## Summary Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`, `GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate` — read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*` and… | |||
| CVE-2026-25714 | 0.00 | — | — | Jun 16, 2026 | ## Summary Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data. ## Issue 1: /user/orgs missing checkTokenPublicOnly() `routers/api/v1/api.go` line 1599:… | |||
| CVE-2026-20912 | 0.00 | — | 0.00 | Jan 22, 2026 | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | |||
| CVE-2026-20904 | 0.00 | — | 0.00 | Jan 22, 2026 | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | |||
| CVE-2026-20897 | 0.00 | — | 0.00 | Jan 22, 2026 | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | |||
| CVE-2026-20888 | 0.00 | — | 0.00 | Jan 22, 2026 | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | |||
| CVE-2026-20883 | 0.00 | — | 0.00 | Jan 22, 2026 | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. |
- risk 0.62cvss —epss 0.00
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
- risk 0.60cvss —epss 0.40
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
- risk 0.45cvss —epss —
## Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing…
- risk 0.38cvss —epss 0.00
### Summary The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any…
- risk 0.38cvss —epss —
## Summary Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private…
- risk 0.38cvss —epss —
## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization…
- risk 0.38cvss —epss —
## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: …
- risk 0.38cvss —epss —
### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and…
- risk 0.38cvss —epss —
### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless…
- CVE-2019-11229Apr 13, 2019risk 0.07cvss —epss 0.56
models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
- CVE-2022-30781May 16, 2022risk 0.03cvss —epss 0.88
Gitea before 1.16.7 does not escape git fetch remote.
- CVE-2026-25779Jun 17, 2026risk 0.00cvss —epss —
### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. ### PoC When a user uses this URL to login: …
- CVE-2026-20706Jun 16, 2026risk 0.00cvss —epss —
## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2…
- CVE-2026-27783Jun 16, 2026risk 0.00cvss —epss —
## Summary Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`, `GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate` — read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*` and…
- CVE-2026-25714Jun 16, 2026risk 0.00cvss —epss —
## Summary Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data. ## Issue 1: /user/orgs missing checkTokenPublicOnly() `routers/api/v1/api.go` line 1599:…
- CVE-2026-20912Jan 22, 2026risk 0.00cvss —epss 0.00
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
- CVE-2026-20904Jan 22, 2026risk 0.00cvss —epss 0.00
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
- CVE-2026-20897Jan 22, 2026risk 0.00cvss —epss 0.00
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
- CVE-2026-20888Jan 22, 2026risk 0.00cvss —epss 0.00
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
- CVE-2026-20883Jan 22, 2026risk 0.00cvss —epss 0.00
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Page 1 of 3