Code.Gitea.Io Gitea vulnerabilities
51 known vulnerabilities affecting code.gitea.io/gitea.
Total CVEs
51
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH10MEDIUM21LOW4UNKNOWN11
Vulnerabilities
Page 1 of 3
CVE-2022-30781P2HIGHPoC≥ 0, < 1.16.72022-05-17
CVE-2022-30781 [HIGH] CWE-116 Shell command injection in gitea
Shell command injection in gitea
Gitea before 1.16.7 does not escape the shell out for `git fetch remote` allowing for shell command injection
ghsaosv
CVE-2020-14144P2HIGHPoC≥ 1.1.0, < 1.12.62024-04-22
CVE-2020-14144 [HIGH] CWE-78 Arbitrary Code Execution in Gitea
Arbitrary Code Execution in Gitea
The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.
ghsaosv
CVE-2024-6886P2CRITICALPoC≥ 0, < 1.22.12024-08-06
CVE-2024-6886 [CRITICAL] CWE-79 Gitea Cross-site Scripting Vulnerability
Gitea Cross-site Scripting Vulnerability
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
ghsaosv
CVE-2022-1058P3MEDIUMPoC≥ 0, < 1.16.52022-03-25
CVE-2022-1058 [MEDIUM] CWE-601 Gitea Open Redirect
Gitea Open Redirect
Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.
ghsaosv
CVE-2021-45327P3UNKNOWN≥ 0, < 1.11.22024-08-21
CVE-2021-45327 Capture-replay in Gitea in code.gitea.io/gitea
Capture-replay in Gitea in code.gitea.io/gitea
Capture-replay in Gitea in code.gitea.io/gitea
osv
CVE-2019-11576P3CRITICAL≥ 0, < 1.8.02022-05-24
CVE-2019-11576 [CRITICAL] CWE-287 Gitea Allows 1FA Even for 2FA-Enrolled Accounts
Gitea Allows 1FA Even for 2FA-Enrolled Accounts
Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password.
ghsaosv
CVE-2021-45331P3CRITICAL≥ 0, < 1.5.02022-02-10
CVE-2021-45331 [CRITICAL] CWE-287 Reuse of one time passwords allowed in Gitea
Reuse of one time passwords allowed in Gitea
An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.
ghsaosv
CVE-2018-18926P3CRITICAL≥ 0, < 1.5.22022-02-15
CVE-2018-18926 [CRITICAL] CWE-94 Gitea Remote Code Execution (RCE)
Gitea Remote Code Execution (RCE)
Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
ghsaosv
CVE-2026-20897P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20897 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
osv
CVE-2018-15192P3HIGH≥ 0, < 1.16.0-rc12022-05-14
CVE-2018-15192 [HIGH] CWE-918 Gogs and Gitea SSRF Vulnerability
Gogs and Gitea SSRF Vulnerability
An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
ghsaosv
CVE-2026-20750P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20750 Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
osv
CVE-2026-20912P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20912 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
osv
CVE-2021-45330P3CRITICAL≥ 0, < 1.6.02022-02-10
CVE-2021-45330 [CRITICAL] CWE-269 Improper Privilege Management in Gitea
Improper Privilege Management in Gitea
An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
ghsaosv
CVE-2026-20736P3LOW≥ 0, < 1.25.42026-01-23
CVE-2026-20736 [LOW] CWE-284 Gitea has improper access control for uploaded attachments
Gitea has improper access control for uploaded attachments
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
ghsaosv
CVE-2022-42968P3UNKNOWN≥ 0, < 1.17.32024-08-21
CVE-2022-42968 Gitea vulnerable to Argument Injection in code.gitea.io/gitea
Gitea vulnerable to Argument Injection in code.gitea.io/gitea
Gitea vulnerable to Argument Injection in code.gitea.io/gitea
osv
CVE-2026-20800P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20800 Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
osv
CVE-2026-20883P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20883 Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
osv
CVE-2020-13246P3UNKNOWN≥ 0, < 1.12.02024-08-21
CVE-2020-13246 Denial of Service in Gitea in code.gitea.io/gitea
Denial of Service in Gitea in code.gitea.io/gitea
Denial of Service in Gitea in code.gitea.io/gitea
osv
CVE-2021-3382P3UNKNOWN≥ 1.9.0, < 1.13.22024-06-04
CVE-2021-3382 Buffer Overflow in gitea in code.gitea.io/gitea
Buffer Overflow in gitea in code.gitea.io/gitea
Buffer Overflow in gitea in code.gitea.io/gitea
osv
CVE-2022-38183P3MEDIUM≥ 0, < 1.16.92022-08-13
CVE-2022-38183 [MEDIUM] CWE-732 Gitea allowed assignment of private issues
Gitea allowed assignment of private issues
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.
ghsaosv
1 / 3Next →