3 matches found
Gitea: Missing repository-unit authorization on issue-template API endpoints
Summary Three Gitea API endpoints — GET /repos/owner/repo/issuetemplates, GET /repos/owner/repo/issueconfig and GET /repos/owner/repo/issueconfig/validate — read files from the repository's Code default branch .gitea/ISSUETEMPLATE/ and issueconfig.yaml and return their contents, but are registere...
PT-2026-50137
Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An authorization bypass exists in three API endpoints that allow users to read specific files from a private repository's default branch even if they lack the required Code unit permissions. Th...
CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins
Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...