CVE-2026-25779
published 2026-06-17CVE-2026-25779: Gitea: Open Redirect via redirect_to ### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible…
medium
Gitea: Open Redirect via redirect_to ### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. ### PoC When a user uses this URL to login: `https://gitea.com/user/login?redirect_to=/a/../\example.com` They would be redirected to `example.com` upon a successful login to their gitea account. ### Impact * Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages * OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect * Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header * Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | go-gitea_gitea | >= 0 < 1.26.0 | 1.26.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published