📦 Gitea

Gitea versions before 1.25.4 have an improper access control vulnerability where attachments uploaded to private repositories can be linked to releases in public repositories. This allows unauthorized...

CVE-2026-20897 is an improper access control vulnerability in Gitea where users with write access to any repository can delete Git LFS locks belonging to other repositories. This allows unauthorized m...

Gitea contains an authorization bypass vulnerability where users with project write access in one organization can modify projects belonging to other organizations. This affects all Gitea instances wi...

This vulnerability in Gitea allows a malicious user to maintain access to a session even after logout due to improper cookie deletion on the client side and session persistence on the server side. Thi...

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API endpoints that improperly trusts HTTP permission methods. This allows remote attackers to execute arb...

This vulnerability in Gitea allows attackers to inject malicious git protocol URLs containing newline characters and port specifications, potentially enabling remote code execution. It affects Gitea i...

This vulnerability in Gitea allows users who previously uploaded attachments to a repository to delete those attachments even after losing access to that repository. By making deletion requests throug...

This vulnerability in Gitea allows attackers to bypass file extension restrictions by manipulating attachment names through the attachment API. Attackers can upload files with normally forbidden exten...

CVE-2022-30781 is a remote code execution vulnerability in Gitea where improper escaping of git fetch remote parameters allows attackers to execute arbitrary commands on the server. This affects all G...

CVE-2022-27313 is an arbitrary file deletion vulnerability in Gitea that allows attackers to delete the configuration file, causing a Denial of Service. This affects Gitea v1.16.3 installations where ...

This Server-Side Request Forgery (SSRF) vulnerability in Gitea before version 1.7.0 allows attackers to make unauthorized requests from the Gitea server to internal network resources via the OpenID UR...

A stack buffer overflow vulnerability in Gitea versions 1.9.0 through 1.13.1 allows remote attackers to crash the service via specially crafted file paths. This affects all Gitea instances running vul...

This vulnerability in Gitea allows authenticated users to modify the visibility settings of other users' OpenID identities due to improper ownership validation. It affects all Gitea instances running ...

This vulnerability in Gitea allows users who have had their access to private repositories revoked to still view issue and pull request titles through previously received notifications. It affects Git...

This vulnerability allows users with revoked access to private Gitea repositories to still view issue titles and repository names through previously started stopwatches. It affects Gitea instances whe...

This vulnerability in Gitea allows users with read access to pull requests to cancel scheduled auto-merges created by other users. It's an authorization bypass that affects all Gitea instances running...

This CVE describes a cross-site scripting (XSS) vulnerability in Gitea versions before 1.20.1 where attackers can inject malicious JavaScript via forbidden URL schemes like javascript: in links. This ...

Gitea versions before 1.21.8 inadvertently disclose users' login times through the explore/users API endpoint. This information leakage vulnerability allows attackers to determine when users last logg...

Gitea versions before 1.22.2 have a token scope propagation flaw in package registries that could allow authenticated users to access resources beyond their intended permissions. This affects all Gite...

This vulnerability allows anonymous users to access private projects belonging to other users in Gitea instances. It affects all Gitea installations running versions before 1.21.2 where private reposi...

This Cross-Site Scripting (XSS) vulnerability in Gitea allows attackers to inject malicious scripts into the search input box for creating tags and branches. When exploited, these scripts execute in v...

Gitea versions before 1.22.3 contain an authorization bypass vulnerability where API tokens with scope limited to public resources can improperly access private resources. This affects all Gitea insta...

Gitea versions before 1.25.2 have an authorization flaw that allows users to delete releases they shouldn't have permission to delete. This affects all Gitea instances running vulnerable versions wher...

Gitea versions before 1.25.4 may send release notification emails for private repositories to users whose access has been revoked. This information disclosure vulnerability affects organizations using...

This vulnerability allows users with insufficient permissions to delete branches after merging pull requests in Gitea instances. It affects all Gitea deployments running versions before 1.22.5 where b...