CVE-2025-68946
published 2025-12-26CVE-2025-68946: In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
12.7th percentile
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.20.1 | 1.20.1 |
| gitea | gitea | < 1.20.1 | 1.20.1 |
| gitea | gitea | >= 1.20.0 < 1.20.1 | 1.20.1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links
vendor_redhat·2025-12-26·CVSS 5.4
CVE-2025-68946 [MEDIUM] CWE-79 gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links
gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
A flaw was found in Gitea. A remote attacker could exploit this vulnerability by injecting a forbidden URL scheme, such as `javascript:`, into a link. This could lead to Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary code in the user's browser or disclose sensitive information.
Statement: This vulnerability is rated Moderate. In the Red Hat context, all listed OpenShift Pipelines components are not affected as the vulnerable code is not present.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria
OSV
Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
osv·2025-12-30
CVE-2025-68946 Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
GHSA
Gitea vulnerable to Cross-site Scripting
ghsa·2025-12-26
CVE-2025-68946 [MEDIUM] CWE-79 Gitea vulnerable to Cross-site Scripting
Gitea vulnerable to Cross-site Scripting
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
OSV
Gitea vulnerable to Cross-site Scripting
osv·2025-12-26
CVE-2025-68946 [MEDIUM] Gitea vulnerable to Cross-site Scripting
Gitea vulnerable to Cross-site Scripting
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
No detection rules found.
No public exploits indexed.
2025-12-26
Published