cbcvebase.

Code.Gitea.Io Gitea vulnerabilities

51 known vulnerabilities affecting code.gitea.io/gitea.

Total CVEs
51
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH10MEDIUM21LOW4UNKNOWN11

Vulnerabilities

Page 1 of 3
CVE-2022-30781P2HIGHPoC≥ 0, < 1.16.72022-05-17
CVE-2022-30781 [HIGH] CWE-116 Shell command injection in gitea Shell command injection in gitea Gitea before 1.16.7 does not escape the shell out for `git fetch remote` allowing for shell command injection
ghsaosv
CVE-2020-14144P2HIGHPoC≥ 1.1.0, < 1.12.62024-04-22
CVE-2020-14144 [HIGH] CWE-78 Arbitrary Code Execution in Gitea Arbitrary Code Execution in Gitea The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.
ghsaosv
CVE-2024-6886P2CRITICALPoC≥ 0, < 1.22.12024-08-06
CVE-2024-6886 [CRITICAL] CWE-79 Gitea Cross-site Scripting Vulnerability Gitea Cross-site Scripting Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
ghsaosv
CVE-2022-1058P3MEDIUMPoC≥ 0, < 1.16.52022-03-25
CVE-2022-1058 [MEDIUM] CWE-601 Gitea Open Redirect Gitea Open Redirect Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.
ghsaosv
CVE-2021-45327P3UNKNOWN≥ 0, < 1.11.22024-08-21
CVE-2021-45327 Capture-replay in Gitea in code.gitea.io/gitea Capture-replay in Gitea in code.gitea.io/gitea Capture-replay in Gitea in code.gitea.io/gitea
osv
CVE-2019-11576P3CRITICAL≥ 0, < 1.8.02022-05-24
CVE-2019-11576 [CRITICAL] CWE-287 Gitea Allows 1FA Even for 2FA-Enrolled Accounts Gitea Allows 1FA Even for 2FA-Enrolled Accounts Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password.
ghsaosv
CVE-2021-45331P3CRITICAL≥ 0, < 1.5.02022-02-10
CVE-2021-45331 [CRITICAL] CWE-287 Reuse of one time passwords allowed in Gitea Reuse of one time passwords allowed in Gitea An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
ghsaosv
CVE-2018-18926P3CRITICAL≥ 0, < 1.5.22022-02-15
CVE-2018-18926 [CRITICAL] CWE-94 Gitea Remote Code Execution (RCE) Gitea Remote Code Execution (RCE) Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
ghsaosv
CVE-2026-20897P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20897 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
osv
CVE-2018-15192P3HIGH≥ 0, < 1.16.0-rc12022-05-14
CVE-2018-15192 [HIGH] CWE-918 Gogs and Gitea SSRF Vulnerability Gogs and Gitea SSRF Vulnerability An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
ghsaosv
CVE-2026-20750P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20750 Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
osv
CVE-2026-20912P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20912 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
osv
CVE-2021-45330P3CRITICAL≥ 0, < 1.6.02022-02-10
CVE-2021-45330 [CRITICAL] CWE-269 Improper Privilege Management in Gitea Improper Privilege Management in Gitea An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
ghsaosv
CVE-2026-20736P3LOW≥ 0, < 1.25.42026-01-23
CVE-2026-20736 [LOW] CWE-284 Gitea has improper access control for uploaded attachments Gitea has improper access control for uploaded attachments Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
ghsaosv
CVE-2022-42968P3UNKNOWN≥ 0, < 1.17.32024-08-21
CVE-2022-42968 Gitea vulnerable to Argument Injection in code.gitea.io/gitea Gitea vulnerable to Argument Injection in code.gitea.io/gitea Gitea vulnerable to Argument Injection in code.gitea.io/gitea
osv
CVE-2026-20800P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20800 Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
osv
CVE-2026-20883P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20883 Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
osv
CVE-2020-13246P3UNKNOWN≥ 0, < 1.12.02024-08-21
CVE-2020-13246 Denial of Service in Gitea in code.gitea.io/gitea Denial of Service in Gitea in code.gitea.io/gitea Denial of Service in Gitea in code.gitea.io/gitea
osv
CVE-2021-3382P3UNKNOWN≥ 1.9.0, < 1.13.22024-06-04
CVE-2021-3382 Buffer Overflow in gitea in code.gitea.io/gitea Buffer Overflow in gitea in code.gitea.io/gitea Buffer Overflow in gitea in code.gitea.io/gitea
osv
CVE-2022-38183P3MEDIUM≥ 0, < 1.16.92022-08-13
CVE-2022-38183 [MEDIUM] CWE-732 Gitea allowed assignment of private issues Gitea allowed assignment of private issues In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
ghsaosv
Code.Gitea.Io Gitea vulnerabilities | cvebase