Vulnerabilities in Gitea
22 resultsCVE-2024-6886CRITICALInproper Sanitation of field leading to stored XSSEPSS 28.2%CVE-2019-1010261—Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in bEPSS 0.8%CVE-2019-1010314—Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable reEPSS 0.8%CVE-2026-20897CRITICALGitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)EPSS 0.4%CVE-2026-20912CRITICALGitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment DisclosureEPSS 0.4%CVE-2025-69413MEDIUMIn Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.EPSS 0.4%CVE-2025-68938MEDIUMGitea before 1.25.2 mishandles authorization for deletion of releases.EPSS 0.3%CVE-2026-20750CRITICALGitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)EPSS 0.3%CVE-2026-20800MEDIUMNotification API Leaks Private Repository Issue Titles After Collaborator Permission RevocationEPSS 0.3%CVE-2026-20883MEDIUMGitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information DisclosureEPSS 0.3%CVE-2025-68945MEDIUMIn Gitea before 1.21.2, an anonymous user can visit a private user's project.EPSS 0.3%CVE-2025-68943MEDIUMGitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.EPSS 0.3%CVE-2026-20736HIGHGitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership CheckEPSS 0.3%CVE-2026-20888MEDIUMGitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)EPSS 0.3%CVE-2025-68939HIGHGitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.EPSS 0.3%CVE-2026-20904MEDIUMGitea: Broken access control in OpenID visibility toggle enables cross-user visibility changesEPSS 0.3%CVE-2025-68944MEDIUMGitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.EPSS 0.3%CVE-2025-68940LOWIn Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.EPSS 0.3%CVE-2025-68941MEDIUMGitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.EPSS 0.2%CVE-2026-0798LOWGitea Release Email Notifications Leak Private Repository Release Details After Access RevocationEPSS 0.2%