78 matches found
CVE-2026-25120
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
CVE-2026-25229
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI...
CVE-2026-25229 Gogs Authorization Bypass Allows Cross-Repository Label Modification
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI...
CVE-2026-25229
CVE-2026-25229 affects Gogs (self-hosted Git service). In versions 0.13.4 and earlier, the Web UI endpoint POST /:username/:reponame/labels/edit allows cross-repository label tampering: UpdateLabel uses an incorrect database query that bypasses repository ownership validation, letting authenticat...
CVE-2026-25229 Gogs Authorization Bypass Allows Cross-Repository Label Modification
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI...
CVE-2026-25229 Gogs Authorization Bypass Allows Cross-Repository Label Modification
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI...
CVE-2026-25120 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
CVE-2026-25120
Gogs CVE-2026-25120 affects versions 0.13.4 and earlier. The issue arises in DeleteComment: the API does not verify that the comment belongs to the repository specified in the URL, allowing a repository administrator to delete comments from other repositories by supplying arbitrary comment IDs. T...
CVE-2026-25120 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
CVE-2026-25120 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
GitHub: Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification
A vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. Authorization was verified against the repository in the URL, but the action...
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs
Summary A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI internal/route/repo/issue.go fails to verify that the label being modified belongs to the...
GHSA-CV22-72PX-F4GH Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs
Summary A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI internal/route/repo/issue.go fails to verify that the label being modified belongs to the...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the UpdateLabel function. An attacker can modify labels belonging to other repositories by sending malicious requests to the /:username/:reponame/labels/edit endpoint. Remediation...
GHSA-JJ5M-H57J-5GV7 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...
Gogs Allows Cross-Repository Comment Deletion via DeleteComment
IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...
PT-2026-20321
Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below Description Gogs, a self-hosted Git service, has a broken access control issue. Authenticated users with write access to a repository can modify labels belonging to other repositories. This is due to a failure in...
PT-2026-20320
Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below Description Gogs, a self-hosted Git service, has an issue where the DeleteComment API does not properly verify if a comment belongs to the repository specified in the URL. This allows a repository administrator t...
SUSE CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
SUSE CVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...