Code.Gitea.Io Gitea vulnerabilities

42 known vulnerabilities affecting code.gitea.io/gitea.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL5HIGH5MEDIUM17LOW4UNKNOWN11

Vulnerabilities

Page 1 of 3

CVE-2026-20912UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20912 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea

osv

CVE-2026-20800UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20800 Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea

osv

CVE-2026-20750UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20750 Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea

osv

CVE-2026-20888UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20888 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea

osv

CVE-2026-20904UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20904 Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea

osv

CVE-2026-20883UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20883 Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea

osv

CVE-2026-20897UNKNOWN≥ 0, < 1.25.42026-02-02

CVE-2026-20897 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea

osv

CVE-2026-0798LOW≥ 0, < 1.25.42026-01-23

CVE-2026-0798 [LOW] CWE-284 Gitea may send release notification emails for private repositories to users whose access has been revoked Gitea may send release notification emails for private repositories to users whose access has been revoked Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, poten

ghsaosv

CVE-2026-20736LOW≥ 0, < 1.25.42026-01-23

CVE-2026-20736 [LOW] CWE-284 Gitea has improper access control for uploaded attachments Gitea has improper access control for uploaded attachments Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

ghsaosv

CVE-2025-69413MEDIUM≥ 0, < 1.25.22026-01-01

CVE-2025-69413 [MEDIUM] CWE-204 Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

ghsaosv

CVE-2025-68944MEDIUM≥ 0, < 1.22.22025-12-26

CVE-2025-68944 [MEDIUM] CWE-441 Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

ghsaosv

CVE-2025-68938MEDIUM≥ 0, < 1.25.22025-12-26

CVE-2025-68938 [MEDIUM] CWE-863 Gitea mishandles authorization for deletion of releases Gitea mishandles authorization for deletion of releases Gitea before 1.25.2 mishandles authorization for deletion of releases.

ghsaosv

CVE-2025-68945MEDIUM≥ 0, < 1.21.22025-12-26

CVE-2025-68945 [MEDIUM] CWE-359 Gitea: anonymous user can visit private user's project Gitea: anonymous user can visit private user's project In Gitea before 1.21.2, an anonymous user can visit a private user's project.

ghsaosv

CVE-2025-68942MEDIUM≥ 0, < 1.22.22025-12-26

CVE-2025-68942 [MEDIUM] CWE-79 Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

ghsaosv

CVE-2025-68943MEDIUM≥ 0, < 1.21.82025-12-26

CVE-2025-68943 [MEDIUM] CWE-497 Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

ghsaosv

CVE-2025-68941MEDIUM≥ 0, < 1.22.32025-12-26

CVE-2025-68941 [MEDIUM] CWE-863 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

ghsaosv

CVE-2025-68946MEDIUM≥ 0, < 1.20.12025-12-26

CVE-2025-68946 [MEDIUM] CWE-79 Gitea vulnerable to Cross-site Scripting Gitea vulnerable to Cross-site Scripting In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

ghsaosv

CVE-2025-68940LOW≥ 0, < 1.22.52025-12-26

CVE-2025-68940 [LOW] CWE-863 Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

ghsaosv

CVE-2021-45327UNKNOWN≥ 0, < 1.11.22024-08-21

CVE-2021-45327 Capture-replay in Gitea in code.gitea.io/gitea Capture-replay in Gitea in code.gitea.io/gitea Capture-replay in Gitea in code.gitea.io/gitea

osv

CVE-2020-13246UNKNOWN≥ 0, < 1.12.02024-08-21

CVE-2020-13246 Denial of Service in Gitea in code.gitea.io/gitea Denial of Service in Gitea in code.gitea.io/gitea Denial of Service in Gitea in code.gitea.io/gitea

osv

1 / 3Next →