9 matches found
EUVD-2026-41633
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission...
CVE-2026-26292
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests. Affected software: Gitea. Root cause: LFS-related operations bypass the migration HTTP transport protectio...
EUVD-2026-41631
Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources...
CVE-2026-26232
Gitea vulnerable before 1.25.5: OAuth2 authorization codes are not consistently expired or single-use during token exchange. Affected: Gitea versions prior to 1.25.5. Root cause: lack of enforcement of expiry and single-use behavior for authorization codes during token exchange. Impact: potential...
CVE-2026-25782
Gitea before 1.25.5 is affected: tracked-time entries are looked up by time ID without confirming the associated issue in the request URL, enabling deletion attempts to affect entries from a different issue. Root cause is improper scoping of the lookup. Impact is potential cross-item deletion of ...
CVE-2026-25712
The CVE-2026-25712 issue affects Gitea prior to version 1.25.5, where organization permission APIs lack sufficient visibility checks for hidden members and private organizations. The root cause is insufficient visibility checks within the organization APIs, leading to exposure of private visibili...
CVE-2026-22547
CVE-2026-22547 affects Gitea versions before 1.25.5. The issue is that repository creation fields lack validation constraints, including length-limited template fields and trust model/object format values, allowing invalid field values. The root cause is insufficient validation in the repository ...
CVE-2026-20909
The CVE-2026-20909 affects Gitea prior to version 1.25.5, where there are insufficient permission checks when listing tracked time entries. This could allow unauthorized access to time-tracking data via the tracked-time list endpoint due to inadequate authorization enforcement in affected builds....
EUVD-2026-41615
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...