CVE-2025-68946Cross-site Scripting in Gitea

CWE-79Cross-site Scripting6 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 98.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GiteaCode.gitea.io Gitea
Timeline
PublishedDec 26
Latest updateDec 30

Description

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

CVEListV5gitea/gitea1.20.01.20.1
NVDgitea/gitea< 1.20.1
Gocode.gitea.io/gitea< 1.20.1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea2025-12-30
GHSA
Gitea vulnerable to Cross-site Scripting2025-12-26
OSV
Gitea vulnerable to Cross-site Scripting2025-12-26

📋Vendor Advisories

1
Red Hat
gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links2025-12-26

🕵️Threat Intelligence

1
Wiz
CVE-2025-68946 Impact, Exploitability, and Mitigation Steps | Wiz