CVE-2026-20912

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

CVE-2026-20912

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea vulnerability CVE-2026-20897: The system does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may delete LFS locks belonging to other repositories, enabling cross-repo access control issues. Related OSV entry GO-2026-4363 co...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

PT-2026-4294

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description The software does not correctly check ownership of repositories when managing attachments linked to releases. This can lead to a situation where an attachment from a private repository is...

PT-2026-4292

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description Gitea does not correctly validate repository ownership during the deletion of Git LFS locks. This allows a user with write access to a repository to potentially delete LFS locks that belong to...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from the improper verification of repository ownership when attaching files to released versions. This vulnerability may allow unauthorized users to access files...

EUVD-2025-7802

Malicious code in bioql PyPI...

EUVD-2022-0993

Malicious code in bioql PyPI...

CVE-2020-13246

An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another...

CVE-2025-27616

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

GHSA-9M63-33Q3-XQ5X Vela Server Has Insufficient Webhook Payload Data Verification

Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. Method By spoofing a webhook payload with a specific set of headers and body...

Vela Server Has Insufficient Webhook Payload Data Verification

Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. Method By spoofing a webhook payload with a specific set of headers and body...

CVE-2025-27616

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

git: insecure hardlinks

A vulnerability was found in Git. This flaw allows an unauthenticated attacker to place a specialized repository on their target's local system. For performance reasons, Git uses hardlinks when cloning a repository located on the same disk. However, if the repo being cloned is owned by a differen...

CVE-2024-32020

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a...