CVE-2025-68943
published 2025-12-26CVE-2025-68943: Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.33%
24.5th percentile
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.21.8 | 1.21.8 |
| gitea | gitea | < 1.21.8 | 1.21.8 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
osv·2025-12-30
CVE-2025-68943 Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
OSV
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
osv·2025-12-26
CVE-2025-68943 [MEDIUM] Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
GHSA
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
ghsa·2025-12-26
CVE-2025-68943 [MEDIUM] CWE-497 Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
Red Hat
gitea: Gitea: Information disclosure of user login times via sort order
vendor_redhat·2025-12-26·CVSS 5.3
CVE-2025-68943 [MEDIUM] CWE-497 gitea: Gitea: Information disclosure of user login times via sort order
gitea: Gitea: Information disclosure of user login times via sort order
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
A flaw was found in Gitea. This vulnerability allows for the inadvertent disclosure of users' login times. A remote attacker can exploit this by utilizing the `lastlogintime` explore/users sort order, leading to the exposure of sensitive user activity information.
Statement: In the Red Hat context, in Red Hat OpenShift Pipelines components are not affected as the vulnerable code is not present.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applica
No detection rules found.
No public exploits indexed.
2025-12-26
Published