17315 matches found
SUSE CVE-2026-20883
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches...
SUSE CVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...
SUSE CVE-2026-20912
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...
CVE-2026-25763
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
EUVD-2026-5556
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763
OpenProject suffers a command-injection like arbitrary file write in the repository changes endpoint (/projects/:project_id/repository/changes) when rendering the latest changes via git log. A crafted rev parameter (for example rev=--output=/tmp/poc.txt) is interpreted by Git as an option, causin...
Exploit for Expression Language Injection in Siemens 6Bk1602-0Aa12-0Tp0_Firmware
ButtF - Backend Misconfiguration & Logic Flaw Exploitation Too...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the Delete function. An attacker can permanently remove entire repositories, including all associated data and history, by sending a DELETE request to the API endpoint while possessing only read-level access...
GHSA-RJV5-9PX2-FQW6 Gogs has authorization bypass in repository deletion API
Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...
Gogs has authorization bypass in repository deletion API
Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the Delete function. An attacker can permanently remove entire repositories, including all associated data and history, by sending a DELETE request to the API endpoint while possessing only read-level access...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade gogs.io/gogs/internal/database to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...