Code.Gitea.Io Gitea vulnerabilities
51 known vulnerabilities affecting code.gitea.io/gitea.
Total CVEs
51
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH10MEDIUM21LOW4UNKNOWN11
Vulnerabilities
Page 2 of 3
CVE-2026-20904P3UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20904 Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
osv
CVE-2021-28378P4MEDIUM≥ 0, < 1.13.42021-09-27
CVE-2021-28378 [MEDIUM] CWE-79 Cross-site Scripting in Gitea
Cross-site Scripting in Gitea
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
ghsaosv
CVE-2019-1000002P3MEDIUM≥ 0, < 1.6.32022-05-13
CVE-2019-1000002 [MEDIUM] CWE-284 Gitea Arbitrary File Delete Vulnerability
Gitea Arbitrary File Delete Vulnerability
Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the attacker deleting files outside the repository he/she has access to. This attack appears to be exploitable via the attacker must get write access to "any" repository including self-created ones. This vulnerability appears to have been fixed
ghsaosv
CVE-2022-0905P3HIGH≥ 0, < 1.16.42022-03-11
CVE-2022-0905 [HIGH] CWE-862 Gitea Missing Authorization vulnerability
Gitea Missing Authorization vulnerability
Gitea 1.16.3 and prior is vulnerable to missing authorization. A patch is available as part of the 1.16.4 release.
ghsaosv
CVE-2022-27313P4HIGH≥ 0, < 1.16.42022-05-04
CVE-2022-27313 [HIGH] Arbitrary file deletion in gitea
Arbitrary file deletion in gitea
An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.
ghsaosv
CVE-2022-38795P4MEDIUM≥ 0, < 1.17.22023-08-07
CVE-2022-38795 [MEDIUM] Gitea erroneous repo clones
Gitea erroneous repo clones
In Gitea through 1.17.1, repo cloning can occur in the migration function.
ghsaosv
CVE-2025-69413P4MEDIUM≥ 0, < 1.25.22026-01-01
CVE-2025-69413 [MEDIUM] CWE-204 Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
ghsaosv
CVE-2025-68941P4MEDIUM≥ 0, < 1.22.32025-12-26
CVE-2025-68941 [MEDIUM] CWE-863 Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
ghsaosv
CVE-2021-29134P4MEDIUM≥ 0, < 1.13.62022-03-16
CVE-2021-29134 [MEDIUM] CWE-22 Path Traversal in Gitea
Path Traversal in Gitea
The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.
ghsaosv
CVE-2025-68945P4MEDIUM≥ 0, < 1.21.22025-12-26
CVE-2025-68945 [MEDIUM] CWE-359 Gitea: anonymous user can visit private user's project
Gitea: anonymous user can visit private user's project
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
ghsaosv
CVE-2025-68938P4MEDIUM≥ 0, < 1.25.22025-12-26
CVE-2025-68938 [MEDIUM] CWE-863 Gitea mishandles authorization for deletion of releases
Gitea mishandles authorization for deletion of releases
Gitea before 1.25.2 mishandles authorization for deletion of releases.
ghsaosv
CVE-2025-68944P4MEDIUM≥ 0, < 1.22.22025-12-26
CVE-2025-68944 [MEDIUM] CWE-441 Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
ghsaosv
CVE-2025-68943P4MEDIUM≥ 0, < 1.21.82025-12-26
CVE-2025-68943 [MEDIUM] CWE-497 Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
ghsaosv
CVE-2025-68940P4LOW≥ 0, < 1.22.52025-12-26
CVE-2025-68940 [LOW] CWE-863 Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
ghsaosv
CVE-2025-68946P4MEDIUM≥ 0, < 1.20.12025-12-26
CVE-2025-68946 [MEDIUM] CWE-79 Gitea vulnerable to Cross-site Scripting
Gitea vulnerable to Cross-site Scripting
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
ghsaosv
CVE-2025-68942P4MEDIUM≥ 0, < 1.22.22025-12-26
CVE-2025-68942 [MEDIUM] CWE-79 Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
ghsaosv
CVE-2019-1010261P4MEDIUM≥ 0, < 1.7.12022-05-24
CVE-2019-1010261 [MEDIUM] CWE-79 Gitea XSS Vulnerability
Gitea XSS Vulnerability
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically crafted URL. The fixed version is: 1.7.1 and later.
ghsaosv
CVE-2022-1928P4MEDIUM≥ 0, < 1.16.92022-05-30
CVE-2022-1928 [MEDIUM] CWE-79 Stored Cross-site Scripting in gitea
Stored Cross-site Scripting in gitea
Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9 via unfiltered pdfs
ghsaosv
CVE-2026-20888P4UNKNOWN≥ 0, < 1.25.42026-02-02
CVE-2026-20888 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
osv
CVE-2019-1010314P4MEDIUM≥ 1.7.2, < 1.7.42022-05-24
CVE-2019-1010314 [MEDIUM] CWE-79 Gitea XSS Vulnerability in Repository Description
Gitea XSS Vulnerability in Repository Description
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
ghsaosv