Lucene search
K

95 matches found

Snyk
Snyk
added 2026/07/03 10:20 p.m.4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the default configuration of REVERSEPROXYTRUSTEDPROXIES allowing all sources. An attacker can gain unauthorized access by sending spoofed reverse-proxy authentication headers such as X-WEBAUTH-USER...

9.8CVSS7.4AI score0.00783EPSS
Exploits4References2
Snyk
Snyk
added 2026/07/03 10:18 p.m.6 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the OAuth sign-in callback process. An attacker can regain access to accounts that have been disabled by an administrator by initiating an OAuth sign-in, resulting in unauthorized re-enablement of those account...

9.8CVSS6AI score0.00343EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 9:16 p.m.7 views

CVE-2026-28740

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access...

7.1CVSS0.00323EPSS
Exploits0References4
CVE
CVE
added 2026/07/03 8:19 p.m.41 views

CVE-2026-28744

Gitea

8.1CVSS7.1AI score0.00343EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/03 8:19 p.m.8 views

EUVD-2026-41637

Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation...

5.9AI score0.00431EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:19 p.m.14 views

CVE-2026-27657

Gitea versions before 1.25.5 allow a user to change another user's primary email address...

5.9AI score0.00345EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:19 p.m.6 views

CVE-2026-26307

Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources...

6AI score0.00466EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.32 views

CVE-2026-26231 Gitea maintainer-edit permissions allow unauthorized commits to readable repositories

Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write...

8.5CVSS0.00291EPSS
Exploits0References5
OSV
OSV
added 2026/07/03 8:19 p.m.3 views

CVE-2026-26232 Gitea OAuth2 authorization codes lack expiry and reuse enforcement

Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange...

9.1CVSS6AI score0.00379EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.47 views

CVE-2026-22874 Gitea webhook and migration allow-list filtering permits SSRF

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering...

9.6CVSS0.00464EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.33 views

CVE-2026-22555 Gitea organization forks can expose organization secrets without create permission

Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets...

8.1CVSS0.00304EPSS
Exploits0References4
OSV
OSV
added 2026/07/03 8:19 p.m.4 views

CVE-2026-20779 Gitea TOTP single-use enforcement defect allows OTP replay

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path...

7.1CVSS7.2AI score0.00481EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.10 views

PT-2026-55606

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description The software uses release tag names and asset names as filesystem path components during the process of dumping release assets. This behavior allows specially crafted names to manipulate the resulting...

5.3CVSS6.1AI score0.00369EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.14 views

PT-2026-55603

Name of the Vulnerable Software and Affected Versions Gitea version 1.25.5 Description The software caches a branch-specific write-permission result across multiple refs during a single pre-receive hook session. This behavior allows a user with a per-branch maintainer-edit grant to reuse that...

8.8CVSS7.2AI score0.00523EPSS
Exploits0References9
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.7 views

CVE-2026-46601 vulnerabilities

Vulnerabilities for packages: pdfcpu, rclone, gitea, mailpit, kubescape, seaweedfs, mattermost, ollama, bento...

7.5CVSS6.1AI score0.00339EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/16 11:41 p.m.9 views

Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo

Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create...

8.5CVSS5.5AI score0.00291EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.15 views

PT-2026-50136

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An authorization bypass allows any authenticated low-privilege user with read access to a repository to push arbitrary commits directly to that repository, bypassing write-access checks. This...

8.5CVSS6AI score0.00291EPSS
Exploits0References12
Circl
Circl
added 2026/05/27 8:6 a.m.15 views

CVE-2026-27771

creationtimestamp| type| source ---|---|--- 2026-05-27 08:06:32+00:00| seen| https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html 2026-05-27 10:09:05+00:00| seen| https://t.me/thehackernews/9089 2026-05-27 12:02:14+00:00| seen|...

8.2CVSS7.1AI score0.40738EPSS
Exploits1References21
Positive Technologies
Positive Technologies
added 2026/04/19 12:0 a.m.29 views

PT-2026-43391

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Forgejo versions prior to 1.26.2 Description A critical access control issue in the container registry allows unauthenticated remote attackers to pull private container images without credentials. The system fail...

8.2CVSS5.8AI score0.40738EPSS
Exploits1References49
Veracode
Veracode
added 2026/03/20 10:11 a.m.7 views

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks, which allows an anonymous attacker to access private user projects...

5.8CVSS7.3AI score0.00328EPSS
Exploits0References6Affected Software2
Rows per page
Query Builder