cbcvebase.
CVE-2026-25779
published 2026-06-17

CVE-2026-25779: Gitea: Open Redirect via redirect_to ### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible…

medium
Gitea: Open Redirect via redirect_to

### Details

Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.

### PoC

When a user uses this URL to login:

`https://gitea.com/user/login?redirect_to=/a/../\example.com`

They would be redirected to `example.com` upon a successful login to their gitea account.

### Impact

* Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
* OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
* Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
* Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comgo-gitea_gitea>= 0 < 1.26.01.26.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.