46 matches found
How GitHub gave every repository a durable owner
GitHub has over 14,000 repositories across our primary internal GitHub organization. As of early 2025, there were over 11,000 non-archived repositories, the vast majority of which with no clear owner. For repositories attached to production services, we have historically had robust durable...
SUSE CVE-2026-25120
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
CVE-2026-25120
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment...
GHSA-CV22-72PX-F4GH Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs
Summary A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI internal/route/repo/issue.go fails to verify that the label being modified belongs to the...
GHSA-JJ5M-H57J-5GV7 Gogs Allows Cross-Repository Comment Deletion via DeleteComment
IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...
Gogs Allows Cross-Repository Comment Deletion via DeleteComment
IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...
PT-2026-20320
Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below Description Gogs, a self-hosted Git service, has an issue where the DeleteComment API does not properly verify if a comment belongs to the repository specified in the URL. This allows a repository administrator t...
PT-2026-20321
Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below Description Gogs, a self-hosted Git service, has a broken access control issue. Authenticated users with write access to a repository can modify labels belonging to other repositories. This is due to a failure in...
SUSE CVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...
SUSE CVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...
GO-2026-4364 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea...
GO-2026-4363 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership when linking attachments to releases. An attacker can gain unauthorized access to attachments by linking an attachment uploaded to a privat...
EUVD-2026-4263
Gitea does not properly validate repository ownership when linking attachments to releases...
Gitea does not properly validate repository ownership when linking attachments to releases
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...
EUVD-2026-4264
Gitea does not properly validate repository ownership when deleting Git LFS locks...
Gitea does not properly validate repository ownership when deleting Git LFS locks
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...
CVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...
CVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...
CVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...