Gitea does not properly validate repository ownership when deleting Git LFS locks

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

Authorization Bypass Through User-Controlled Key

Overview code.gitea.io/gitea/modules/git is a Go module to access Git through shell commands. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership in the delete process for Git LFS locks. An attacker c...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from the improper verification of repository ownership when deleting the Git LFS lock. This vulnerability could allow a user with write permissions to a repository ...

Soft Serve security vulnerability

Soft Serve is a self-hosted command-line Git server developed by Charm. Versions of Soft Serve prior to 0.11.2 contained security vulnerabilities. These vulnerabilities stemmed from authentication bypasses, allowing attackers to provide the victim’s public key during the SSH handshake phase,...

CVE-2021-47874

VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem...

CVE-2021-47874

CVE-2021-47874 affects VFS for Git 1.0.21014.1, specifically the GVFS.Service Windows service. The issue is an unquoted service path that allows local attackers to execute code with elevated privileges by injecting a malicious executable that gets launched with LocalSystem rights during service s...

EUVD-2026-3627

VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem...

CVE-2021-47874 VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path

VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem...

PT-2026-3826

VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem...

CLSA-2026-1768917823 git: Fix of CVE-2024-32021

CVE-2024-32021: fix symlink bypass, abort when hardlinked source and target file differ...

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol MCP server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions. "These flaws can be exploited through prom...

MiracleLinux 8 : nodejs:14 (AXSA:2021-2343:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2343:01 advisory. nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl CVE-2021-23362 nodejs-ssri: Regular expression DoS ReDoS...

MiracleLinux 7 : git-1.8.3.1-22.el7 (AXSA:2020-001:03)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2020-001:03 advisory. git: Crafted URL containing new lines can cause credential leak CVE-2020-5260 Tenable has extracted the preceding description block directly from the...

MiracleLinux 7 : git-1.8.3.1-24.el7 (AXSA:2023-5173:03)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5173:03 advisory. git: gitattributes parsing integer overflow CVE-2022-23521 git: Heap overflow in git archive, git log --format leading to RCE CVE-2022-41903 Tenable...

MiracleLinux 4 : git-1.7.1-10.AXS4 (AXSA:2020-4438:02)

The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2020-4438:02 advisory. git: arbitrary code execution via .gitmodules CVE-2018-17456 Tenable has extracted the preceding description block directly from the MiracleLinux security...