Forgejo
by Forgejo
Source repositories
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68937 | Cri | 0.62 | — | 0.00 | Dec 26, 2025 | Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later. | ||
| CVE-2025-68971 | Med | 0.35 | 6.5 | 0.00 | Mar 16, 2026 | In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release). | ||
| CVE-2023-49948 | 0.00 | — | 0.00 | Dec 3, 2023 | Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. | |||
| CVE-2023-49946 | 0.00 | — | 0.00 | Dec 3, 2023 | In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions. | |||
| CVE-2023-49947 | 0.00 | — | 0.00 | Dec 3, 2023 | Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. |
- risk 0.62cvss —epss 0.00
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
- risk 0.35cvss 6.5epss 0.00
In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
- CVE-2023-49948Dec 3, 2023risk 0.00cvss —epss 0.00
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.
- CVE-2023-49946Dec 3, 2023risk 0.00cvss —epss 0.00
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
- CVE-2023-49947Dec 3, 2023risk 0.00cvss —epss 0.00
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.