Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-14144OS Command Injection in Gitea

CWE-78OS Command Injection8 documents7 sources
Severity
7.2HIGHNVD
EPSS
93.5%
top 0.17%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Code.gitea.io GiteaGitea
Timeline
PublishedOct 16
Latest updateJul 1

Description

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give som

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

Gocode.gitea.io/gitea1.1.01.12.6
NVDgitea/gitea1.1.01.12.5

🔴Vulnerability Details

2
GHSA
Arbitrary Code Execution in Gitea2024-04-22
OSV
Arbitrary Code Execution in Gitea2024-04-22

💥Exploits & PoCs

3
Exploit-DB
Gitea 1.12.5 - Remote Code Execution (Authenticated)2021-02-18
Nuclei
Gitea 1.1.0 - 1.12.5 - Remote Code Execution
Metasploit
Gitea Git Hooks Remote Code Execution

🕵️Threat Intelligence

2
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz2025-07-01
Wiz
DevOps Tools Targeted for Cryptojacking | Wiz Blog2025-06-02