CVE-2025-68946 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-68946?

CVE-2025-68946 has a CVSS score of 5.4 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in Gitea versions before 1.20.1 where attackers can inject malicious JavaScript via forbidden URL schemes like javascript: in links. This affects all Gitea instances running vulnerable versions, potentially compromising user sessions and data.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Gitea versions before 1.20.1 where attackers can inject malicious JavaScript via forbidden URL schemes like javascript: in links. This affects all Gitea instances running vulnerable versions, potentially compromising user sessions and data.

💻 Affected Systems

Products:

Gitea

Versions: All versions before 1.20.1

Operating Systems: All platforms running Gitea

Default Config Vulnerable: ⚠️ Yes

Notes: All Gitea deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, leading to complete account compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal session tokens or credentials from users who click on crafted links, potentially gaining unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to minor content manipulation with no significant impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) and typically authenticated access to create/modify content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.1

Vendor Advisory: https://blog.gitea.com/release-of-1.20.1/

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.20.1 from the official releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to reject or sanitize URL schemes like javascript: in user-generated content.

🧯 If You Can't Patch

Disable user-generated content features that allow URL inputs.
Implement a web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check the Gitea version via the web interface (Admin Dashboard) or by running './gitea --version' in the installation directory.

Check Version:

./gitea --version

Verify Fix Applied:

Confirm the version is 1.20.1 or later and test that javascript: URLs are properly sanitized in links.

📡 Detection & Monitoring

Log Indicators:

Unusual content modifications, especially with javascript: URLs in repository or issue logs.

Network Indicators:

HTTP requests containing javascript: scheme in URL parameters.

SIEM Query:

source="gitea.log" AND "javascript:"

📊 Metadata

CVE ID: CVE-2025-68946

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: December 26, 2025

Last Updated: December 31, 2025

🔗 References

https://blog.gitea.com/release-of-1.20.1/ Release Notes
https://github.com/go-gitea/gitea/pull/25960 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.20.1 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68946, you might also want to check these: