Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
152049.6%CRITICAL

Related CVEs

52
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2026-20912Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.CRITICAL9.133.2%Jan 22, 2026
CVE-2026-20904Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.MEDIUM6.519.5%Jan 22, 2026
CVE-2026-20897Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.CRITICAL9.133.2%Jan 22, 2026
CVE-2026-20888Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.MEDIUM4.322.0%Jan 22, 2026
CVE-2026-20883Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.MEDIUM6.525.1%Jan 22, 2026
CVE-2026-20800Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.MEDIUM6.526.2%Jan 22, 2026
CVE-2026-20750Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.CRITICAL9.131.1%Jan 22, 2026
CVE-2026-20736Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.HIGH7.523.9%Jan 22, 2026
CVE-2026-0798Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.LOW3.514.6%Jan 22, 2026
CVE-2025-69413In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.MEDIUM5.327.5%Jan 1, 2026
CVE-2025-68946In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.MEDIUM5.412.7%Dec 26, 2025
CVE-2025-68945In Gitea before 1.21.2, an anonymous user can visit a private user's project.MEDIUM5.324.5%Dec 26, 2025
CVE-2025-68944Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.MEDIUM5.316.6%Dec 26, 2025
CVE-2025-68943Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.MEDIUM5.324.5%Dec 26, 2025
CVE-2025-68942Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.MEDIUM5.412.7%Dec 26, 2025
CVE-2025-68941Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.MEDIUM5.314.8%Dec 26, 2025
CVE-2025-68940In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.MEDIUM5.316.3%Dec 26, 2025
CVE-2025-68939Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.MEDIUM5.321.1%Dec 26, 2025
CVE-2025-68938Gitea before 1.25.2 mishandles authorization for deletion of releases.MEDIUM5.326.8%Dec 26, 2025
CVE-2022-38795In Gitea through 1.17.1, repo cloning can occur in the migration function.MEDIUM6.536.7%Aug 7, 2023