cbcvebase.

Code.Gitea.Io Gitea vulnerabilities

51 known vulnerabilities affecting code.gitea.io/gitea.

Total CVEs
51
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH10MEDIUM21LOW4UNKNOWN11

Vulnerabilities

Page 3 of 3
CVE-2023-3515P4LOW≥ 0, < 1.19.42023-07-05
CVE-2023-3515 [LOW] CWE-601 code.gitea.io/gitea Open Redirect vulnerability code.gitea.io/gitea Open Redirect vulnerability Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4. This is most likely a post-auth redirect plus it is a POST based request scenario, so less likely that can be exploited or chained with other bugs that can cause phishing or credential theft.
ghsaosv
CVE-2026-0798P4LOW≥ 0, < 1.25.42026-01-23
CVE-2026-0798 [LOW] CWE-284 Gitea may send release notification emails for private repositories to users whose access has been revoked Gitea may send release notification emails for private repositories to users whose access has been revoked Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, poten
ghsaosv
CVE-2026-24791MEDIUMCVSS 5.3≥ 1.22.3, < 1.26.22026-06-17
CVE-2026-24791 [MEDIUM] CWE-863 Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes ## Summary Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private accou
ghsa
CVE-2026-25714MEDIUMCVSS 5.3≥ 0, < 1.26.22026-06-16
CVE-2026-25714 [MEDIUM] CWE-862 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw ## Summary Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data. ## Issue 1: /user/orgs missing checkTokenPublicOnly() `routers/api/v1/
ghsa
CVE-2026-22555HIGH≥ 0, < 1.26.02026-06-17
CVE-2026-22555 [HIGH] CWE-863 Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration ## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization member — in a team with `can_create_
ghsa
CVE-2026-28737HIGH≥ 1.25.0, < 1.26.02026-06-17
CVE-2026-28737 [HIGH] CWE-79 Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer ## Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name and Gitea inserts it into th
ghsa
CVE-2026-26231HIGH≥ 0, < 1.26.22026-06-16
CVE-2026-26231 [HIGH] CWE-863 Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo ## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can
ghsa
CVE-2026-28744HIGH≥ 0, < 1.26.22026-06-16
CVE-2026-28744 [HIGH] CWE-863 Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens ### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless `ctx.IsBasicAuth` is true — so the same token sent as `Author
ghsa
CVE-2026-28699HIGH≥ 0, < 1.26.22026-06-16
CVE-2026-28699 [HIGH] CWE-284 Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication ### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and perform write actions, including m
ghsa
CVE-2026-27783MEDIUM≥ 0, < 1.26.22026-06-16
CVE-2026-27783 [MEDIUM] CWE-862 Gitea: Missing repository-unit authorization on issue-template API endpoints Gitea: Missing repository-unit authorization on issue-template API endpoints ## Summary Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`, `GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate` — read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*` and `issue_config.yaml`) and return their conte
ghsa
CVE-2026-20706MEDIUM≥ 0, < 1.26.22026-06-16
CVE-2026-20706 [MEDIUM] CWE-863 Gitea: Token scope bypass on web archive download endpoint Gitea: Token scope bypass on web archive download endpoint ## Summary PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/web.go:1649-1652) but does not call checkDownload
ghsa
Code.Gitea.Io Gitea vulnerabilities | cvebase