CVE-2026-27771

creationtimestamp| type| source ---|---|--- 2026-05-27 08:06:32+00:00| seen| https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html 2026-05-27 10:09:05+00:00| seen| https://t.me/thehackernews/9089 2026-05-27 12:02:14+00:00| seen|...

PT-2026-43391

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Forgejo versions prior to 1.26.2 Description An access control issue in the container registry allows unauthenticated remote attackers to pull private container images without credentials. The system failed to...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks, which allows an anonymous attacker to access private user projects...

Cross-Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user input in the search input box used for creating tags and branches, where v-html is used instead of v-text, which allows an attacker to inject and execute malicious scripts in the...

ROS-20260224-73-0032

A vulnerability in the Gitea Git repository management system is related to access control errors. Exploitation of the vulnerability could allow an attacker acting remotely to gain unauthorized access to protected information...

SUSE CVE-2026-20904

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities...

EUVD-2026-4263

Gitea does not properly validate repository ownership when linking attachments to releases...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the ToggleUserOpenIDVisibility function. An authenticated attacker can modify the visibility settings of other users' OpenID identities. Remediation Upgrade...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from improper verification of project ownership during organizational project operations. This vulnerability could allow a user with write access to an organization...

Gitea security vulnerabilities

Gitea is a lightweight Git service developed using Go language in the Gitea community. Gitea has a security vulnerability that stems from incorrect validation of repository access permissions. This vulnerability could allow the sending of release notification emails for private repositories to...

CVE-2022-27313

An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service DoS via deleting the configuration file...

SUSE CVE-2025-68943

Gitea before 1.21.8 inadvertently discloses users' login times by allowing for example the lastlogintime explore/users sort order...

GO-2025-4265 Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea

Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea...

CVE-2025-68943

A flaw was found in Gitea. This vulnerability allows for the inadvertent disclosure of users' login times. A remote attacker can exploit this by utilizing the lastlogintime explore/users sort order, leading to the exposure of sensitive user activity information. Mitigation Mitigation for this iss...

GHSA-JHX5-4VR4-F327 Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order

Gitea before 1.21.8 inadvertently discloses users' login times by allowing for example the lastlogintime explore/users sort order...

CVE-2025-68945

In Gitea before 1.21.2, an anonymous user can visit a private user's project...

EUVD-2025-205421

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

CVE-2025-68944

CVE-2025-68944 affects Gitea before 1.22.2, where token scope propagation in one of Gitea’s package registries can bypass access controls. The OSV and related advisories describe exploitation as an Incorrect Authorization due to improper handling of token scopes in package registries (e.g., conta...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via inadequate enforcement of branch delete permissions after merging a pull request. An attacker can delete arbitrary branches. Remediation Upgrade code.gitea.io/gitea/routers/web/repo to version 1.22.5 or highe...

CVE-2025-68942

Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...