Gitea

Gitea

53 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2026-20912

  • EPSS 0.02%
  • Veröffentlicht 22.01.2026 22:16:19
  • Zuletzt bearbeitet 29.01.2026 22:03:58

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized...

6.5

CVE-2026-20904

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:19
  • Zuletzt bearbeitet 29.01.2026 22:03:08

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

9.1

CVE-2026-20897

  • EPSS 0.02%
  • Veröffentlicht 22.01.2026 22:16:18
  • Zuletzt bearbeitet 29.01.2026 22:02:20

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

4.3

CVE-2026-20888

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:17
  • Zuletzt bearbeitet 29.01.2026 22:00:58

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

6.5

CVE-2026-20883

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:17
  • Zuletzt bearbeitet 29.01.2026 21:58:25

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

6.5

CVE-2026-20800

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:17
  • Zuletzt bearbeitet 29.01.2026 21:57:04

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received n...

9.1

CVE-2026-20750

  • EPSS 0.02%
  • Veröffentlicht 22.01.2026 22:16:17
  • Zuletzt bearbeitet 29.01.2026 21:48:07

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

7.5

CVE-2026-20736

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:17
  • Zuletzt bearbeitet 29.01.2026 21:46:59

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different reposi...

3.5

CVE-2026-0798

  • EPSS 0.01%
  • Veröffentlicht 22.01.2026 22:16:15
  • Zuletzt bearbeitet 29.01.2026 21:59:24

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications...

5.3

CVE-2025-69413

  • EPSS 0.03%
  • Veröffentlicht 01.01.2026 04:39:48
  • Zuletzt bearbeitet 06.01.2026 19:27:57

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.