Code.gitea.io/gitea
This hub aggregates every CVE we track for Code.gitea.io/gitea, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
32
CVEs tracked
5
Critical
7
High
0
In CISA KEV
Severity distribution
MEDIUM17HIGH7CRITICAL5LOW3
Monthly trend
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
9
3
0
0
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Code.gitea.io/gitea.
- CVE-2026-20736Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check7.5
- CVE-2026-0798Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation3.5
- CVE-2025-69413In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.5.3
- CVE-2025-68946In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.5.4
- CVE-2025-68945In Gitea before 1.21.2, an anonymous user can visit a private user's project.5.8
- CVE-2025-68944Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.5.0
- CVE-2025-68943Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.5.3
- CVE-2025-68942Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.5.4
- CVE-2025-68941Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.4.9
- CVE-2025-68940In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.3.1
- CVE-2025-68939Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.8.2
- CVE-2025-68938Gitea before 1.25.2 mishandles authorization for deletion of releases.4.3
- CVE-2024-6886Inproper Sanitation of field leading to stored XSS10.0
- CVE-2022-38795In Gitea through 1.17.1, repo cloning can occur in the migration function.6.5
- CVE-2023-3515Open Redirect in go-gitea/gitea4.4
Product normalization is registry-driven with AI assist and human review. How it works