Search criteria
10 vulnerabilities
CVE-2026-20912 (GCVE-0-2026-20912)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
Summary
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:52.026Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"
},
{
"name": "GitHub Pull Request #36320",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36320"
},
{
"name": "GitHub Pull Request #36355",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36355"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20912",
"datePublished": "2026-01-22T22:01:52.026Z",
"dateReserved": "2026-01-08T23:02:37.548Z",
"dateUpdated": "2026-01-22T22:01:52.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20888 (GCVE-0-2026-20888)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)
Summary
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:51.214Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64"
},
{
"name": "GitHub Pull Request #36341",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36341"
},
{
"name": "GitHub Pull Request #36356",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36356"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20888",
"datePublished": "2026-01-22T22:01:51.214Z",
"dateReserved": "2026-01-08T23:02:37.542Z",
"dateUpdated": "2026-01-22T22:01:51.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20904 (GCVE-0-2026-20904)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Summary
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users\u0027 OpenID identities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:51.762Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx"
},
{
"name": "GitHub Pull Request #36346",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36346"
},
{
"name": "GitHub Pull Request #36361",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36361"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20904",
"datePublished": "2026-01-22T22:01:51.762Z",
"dateReserved": "2026-01-08T23:02:37.537Z",
"dateUpdated": "2026-01-22T22:01:51.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20897 (GCVE-0-2026-20897)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Summary
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:51.508Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7c"
},
{
"name": "GitHub Pull Request #36344",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36344"
},
{
"name": "GitHub Pull Request #36349",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36349"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20897",
"datePublished": "2026-01-22T22:01:51.508Z",
"dateReserved": "2026-01-08T23:02:37.525Z",
"dateUpdated": "2026-01-22T22:01:51.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20883 (GCVE-0-2026-20883)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
Summary
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea\u0027s stopwatch API does not re-validate repository access permissions. After a user\u0027s access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:50.840Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg"
},
{
"name": "GitHub Pull Request #36340",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36340"
},
{
"name": "GitHub Pull Request #36368",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36368"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20883",
"datePublished": "2026-01-22T22:01:50.840Z",
"dateReserved": "2026-01-08T23:02:37.553Z",
"dateUpdated": "2026-01-22T22:01:50.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20800 (GCVE-0-2026-20800)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation
Summary
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea\u0027s notification API does not re-validate repository access permissions when returning notification details. After a user\u0027s access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:50.368Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q"
},
{
"name": "GitHub Pull Request #36339",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36339"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20800",
"datePublished": "2026-01-22T22:01:50.368Z",
"dateReserved": "2026-01-08T23:02:37.571Z",
"dateUpdated": "2026-01-22T22:01:50.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20750 (GCVE-0-2026-20750)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
Summary
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:49.948Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-h4fh-pc4w-8w27"
},
{
"name": "GitHub Pull Request #36318",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36318"
},
{
"name": "GitHub Pull Request #36373",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36373"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20750",
"datePublished": "2026-01-22T22:01:49.948Z",
"dateReserved": "2026-01-08T23:02:37.565Z",
"dateUpdated": "2026-01-22T22:01:49.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20736 (GCVE-0-2026-20736)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check
Summary
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:49.678Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jr6h-pwwp-c8g6"
},
{
"name": "GitHub Pull Request #36320",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36320"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20736",
"datePublished": "2026-01-22T22:01:49.678Z",
"dateReserved": "2026-01-08T23:02:37.558Z",
"dateUpdated": "2026-01-22T22:01:49.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0798 (GCVE-0-2026-0798)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-22 22:01
VLAI?
Title
Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
Summary
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
spingARbor
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:49.410Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p"
},
{
"name": "GitHub Pull Request #36319",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36319"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-0798",
"datePublished": "2026-01-22T22:01:49.410Z",
"dateReserved": "2026-01-08T23:02:08.534Z",
"dateUpdated": "2026-01-22T22:01:49.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6886 (GCVE-0-2024-6886)
Vulnerability from cvelistv5 – Published: 2024-08-06 03:23 – Updated: 2024-08-06 14:30
VLAI?
Title
Inproper Sanitation of field leading to stored XSS
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
1.22.0
(semver)
|
Credits
Catalin Iovita (https://github.com/catalin-iovita)
Alexandru Postolache (https://github.com/alex-postolache)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gitea:gitea:1.22.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "gitea",
"vendor": "gitea",
"versions": [
{
"status": "affected",
"version": "1.22.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:26:58.912514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T14:30:41.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"repo": "https://github.com/go-gitea/gitea/",
"vendor": "Gitea",
"versions": [
{
"status": "affected",
"version": "1.22.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Catalin Iovita (https://github.com/catalin-iovita)"
},
{
"lang": "en",
"type": "finder",
"value": "Alexandru Postolache (https://github.com/alex-postolache)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.\u003cp\u003eThis issue affects Gitea Open Source Git Server: 1.22.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T03:23:21.692Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"url": "https://github.com/go-gitea/gitea/pull/31200"
},
{
"url": "https://blog.gitea.com/release-of-1.22.1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Inproper Sanitation of field leading to stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2024-6886",
"datePublished": "2024-08-06T03:23:21.692Z",
"dateReserved": "2024-07-18T18:22:45.238Z",
"dateUpdated": "2024-08-06T14:30:41.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}