CVE-2025-68942 — Cross-site Scripting in Gitea

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 98.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedDec 26

Latest updateDec 30

Description

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

▶NVDgitea/gitea< 1.22.2

OSV

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea↗2025-12-30

▶

GHSA

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text↗2025-12-26

▶

OSV

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text↗2025-12-26

▶

Red Hat

gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input↗2025-12-26

▶

Wiz

CVE-2025-68942 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶