gitea
DevTools & CIoss-project
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting gitea.
- CVE-2026-20912Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure9.1
- CVE-2026-20904Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes6.5
- CVE-2026-20897Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)9.1
- CVE-2026-20888Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)4.3
- CVE-2026-20883Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure6.5
- CVE-2026-20800Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation6.5
- CVE-2026-20750Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)9.1
- CVE-2026-20736Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check7.5
- CVE-2026-0798Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation3.5
- CVE-2025-69413In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.5.3
- CVE-2025-68946In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.5.4
- CVE-2025-68945In Gitea before 1.21.2, an anonymous user can visit a private user's project.5.8
- CVE-2025-68944Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.5.0
- CVE-2025-68943Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.5.3
- CVE-2025-68942Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.5.4