Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20322
Total
1466
Critical
6160
High
6453
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-27783 | MEDIUM | 4.3 | Gitea versions up to and including 1.26.1 do not enforce repository-unit authorization on issue-template API endpoints. | Jul 03, 2026 |
| CVE-2026-27780 | UNKNOWN | — | Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks. | Jul 03, 2026 |
| CVE-2026-27779 | UNKNOWN | — | Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation. | Jul 03, 2026 |
| CVE-2026-27775 | UNKNOWN | — | Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other … | Jul 03, 2026 |
| CVE-2026-27771 | HIGH | 8.2 | Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information. | Jul 03, 2026 |
| CVE-2026-27761 | MEDIUM | 4.3 | Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit … | Jul 03, 2026 |
| CVE-2026-27660 | UNKNOWN | — | Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission. | Jul 03, 2026 |
| CVE-2026-27657 | UNKNOWN | — | Gitea versions before 1.25.5 allow a user to change another user's primary email address. | Jul 03, 2026 |
| CVE-2026-26307 | UNKNOWN | — | Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources. | Jul 03, 2026 |
| CVE-2026-26292 | UNKNOWN | — | Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for … | Jul 03, 2026 |
| CVE-2026-26247 | UNKNOWN | — | Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check. | Jul 03, 2026 |
| CVE-2026-26232 | UNKNOWN | — | Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange. | Jul 03, 2026 |
| CVE-2026-26231 | HIGH | 8.5 | Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read … | Jul 03, 2026 |
| CVE-2026-25782 | UNKNOWN | — | Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts … | Jul 03, 2026 |
| CVE-2026-25779 | UNKNOWN | — | Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values. | Jul 03, 2026 |
| CVE-2026-25718 | UNKNOWN | — | Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths. | Jul 03, 2026 |
| CVE-2026-25714 | MEDIUM | 4.3 | Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941. | Jul 03, 2026 |
| CVE-2026-25712 | UNKNOWN | — | Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations. | Jul 03, 2026 |
| CVE-2026-25038 | UNKNOWN | — | Gitea 1.26.2 allows unauthorized users to access labels of private organizations. | Jul 03, 2026 |
| CVE-2026-24690 | UNKNOWN | — | Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches. | Jul 03, 2026 |
| CVE-2026-24451 | UNKNOWN | — | Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer … | Jul 03, 2026 |
| CVE-2026-22874 | CRITICAL | 9.6 | Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering. | Jul 03, 2026 |
| CVE-2026-22555 | HIGH | 8.1 | Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets. | Jul 03, 2026 |
| CVE-2026-22547 | UNKNOWN | — | Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values. | Jul 03, 2026 |
| CVE-2026-20909 | UNKNOWN | — | Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries. | Jul 03, 2026 |