Github.com/go-gitea/gitea

This hub aggregates every CVE we track for Github.com/go-gitea/gitea, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Github.com/go-gitea/gitea.

• CVE-2026-20912Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure9.1Jan 22, 2026
• CVE-2026-20904Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes6.5Jan 22, 2026
• CVE-2026-20888Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)4.3Jan 22, 2026
• CVE-2026-20897Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)9.1Jan 22, 2026
• CVE-2026-20800Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation6.5Jan 22, 2026
• CVE-2026-20883Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure6.5Jan 22, 2026
• CVE-2026-20750Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)9.1Jan 22, 2026
• CVE-2022-42968Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.9.8Oct 16, 2022
• CVE-2021-45329Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.6.1Feb 8, 2022
• CVE-2021-45328Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.6.1Feb 8, 2022
• CVE-2021-45327Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary c...9.8Feb 8, 2022
• CVE-2021-45326Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.8.8Feb 8, 2022
• CVE-2021-45325Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.7.5Feb 8, 2022
• CVE-2021-3382Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path.7.5Feb 5, 2021
• CVE-2020-28991Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/rep...9.8Nov 24, 2020