CVE-2025-68942
published 2025-12-26CVE-2025-68942: Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
12.7th percentile
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.22.2 | 1.22.2 |
| gitea | gitea | < 1.22.2 | 1.22.2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
osv·2025-12-30
CVE-2025-68942 Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
GHSA
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
ghsa·2025-12-26
CVE-2025-68942 [MEDIUM] CWE-79 Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
OSV
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
osv·2025-12-26
CVE-2025-68942 [MEDIUM] Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
Red Hat
gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input
vendor_redhat·2025-12-26·CVSS 5.4
CVE-2025-68942 [MEDIUM] CWE-79 gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input
gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
A flaw was found in Gitea. A remote attacker could exploit a Cross-Site Scripting (XSS) vulnerability by injecting malicious scripts into the search input box. This occurs because the application improperly uses `v-html` instead of `v-text` for rendering user input. Successful exploitation allows for the execution of arbitrary code in the context of the user's browser, potentially leading to information disclosure or unauthorized actions.
Statement: This vulnerability is rated Moderate for Red Hat OpenShift Pipelines versions 1.16 and 1.17 due to a Cross-Site Scripting (XSS) flaw in the integrate
No detection rules found.
No public exploits indexed.
2025-12-26
Published