VYPR

Vendor CVEs

Go Gitea

All CVEs

55 total · sorted by risk
  • CVE-2025-68937CriDec 26, 2025
    risk 0.62cvss epss 0.00

    Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

  • CVE-2024-6886CriAug 6, 2024
    risk 0.60cvss epss 0.40

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.

  • CVE-2026-28737higJun 17, 2026
    risk 0.45cvss epss

    ## Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing…

  • CVE-2026-52807higJun 23, 2026
    risk 0.38cvss epss 0.00

    ### Summary The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any…

  • CVE-2026-24791higJun 17, 2026
    risk 0.38cvss epss

    ## Summary Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private…

  • CVE-2026-22555higJun 17, 2026
    risk 0.38cvss epss

    ## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization…

  • CVE-2026-26231higJun 16, 2026
    risk 0.38cvss epss

    ## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: …

  • CVE-2026-28699higJun 16, 2026
    risk 0.38cvss epss

    ### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and…

  • CVE-2026-28744higJun 16, 2026
    risk 0.38cvss epss

    ### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless…

  • CVE-2019-11229Apr 13, 2019
    risk 0.07cvss epss 0.56

    models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.

  • CVE-2022-30781May 16, 2022
    risk 0.03cvss epss 0.88

    Gitea before 1.16.7 does not escape git fetch remote.

  • CVE-2026-25779Jun 17, 2026
    risk 0.00cvss epss

    ### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. ### PoC When a user uses this URL to login: …

  • CVE-2026-20706Jun 16, 2026
    risk 0.00cvss epss

    ## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2…

  • CVE-2026-27783Jun 16, 2026
    risk 0.00cvss epss

    ## Summary Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`, `GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate` — read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*` and…

  • CVE-2026-25714Jun 16, 2026
    risk 0.00cvss epss

    ## Summary Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data. ## Issue 1: /user/orgs missing checkTokenPublicOnly() `routers/api/v1/api.go` line 1599:…

  • CVE-2026-20912Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

  • CVE-2026-20904Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

  • CVE-2026-20897Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

  • CVE-2026-20888Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

  • CVE-2026-20883Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

  • CVE-2026-20800Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.

  • CVE-2026-20750Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

  • CVE-2026-20736Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

  • CVE-2026-0798Jan 22, 2026
    risk 0.00cvss epss 0.00

    Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing…

  • CVE-2025-69413Jan 1, 2026
    risk 0.00cvss epss 0.00

    In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

  • CVE-2025-68946Dec 26, 2025
    risk 0.00cvss epss 0.00

    In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

  • CVE-2025-68945Dec 26, 2025
    risk 0.00cvss epss 0.00

    In Gitea before 1.21.2, an anonymous user can visit a private user's project.

  • CVE-2025-68944Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

  • CVE-2025-68943Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

  • CVE-2025-68942Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

  • CVE-2025-68941Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

  • CVE-2025-68940Dec 26, 2025
    risk 0.00cvss epss 0.00

    In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

  • CVE-2025-68939Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

  • CVE-2025-68938Dec 26, 2025
    risk 0.00cvss epss 0.00

    Gitea before 1.25.2 mishandles authorization for deletion of releases.

  • CVE-2022-38795Aug 7, 2023
    risk 0.00cvss epss 0.00

    In Gitea through 1.17.1, repo cloning can occur in the migration function.

  • CVE-2023-3515Jul 5, 2023
    risk 0.00cvss epss 0.00

    Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.

  • CVE-2022-42968Oct 16, 2022
    risk 0.00cvss epss 0.01

    Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.

  • CVE-2022-38183Aug 12, 2022
    risk 0.00cvss epss 0.01

    In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to…

  • CVE-2022-1928May 29, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

  • CVE-2022-27313May 3, 2022
    risk 0.00cvss epss 0.01

    An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.

  • CVE-2022-1058Mar 24, 2022
    risk 0.00cvss epss 0.53

    Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.

  • CVE-2021-29134Mar 15, 2022
    risk 0.00cvss epss 0.01

    The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.

  • CVE-2022-0905Mar 10, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.

  • CVE-2021-45331Feb 9, 2022
    risk 0.00cvss epss 0.01

    An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.

  • CVE-2021-45330Feb 9, 2022
    risk 0.00cvss epss 0.01

    An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.

  • CVE-2021-45329Feb 8, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.

  • CVE-2021-45328Feb 8, 2022
    risk 0.00cvss epss 0.01

    Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.

  • CVE-2021-45327Feb 8, 2022
    risk 0.00cvss epss 0.02

    Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.

  • CVE-2021-45326Feb 8, 2022
    risk 0.00cvss epss 0.01

    Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.

  • CVE-2021-45325Feb 8, 2022
    risk 0.00cvss epss 0.01

    Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.

Page 1 of 2