623 matches found
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the LFS mirror synchronization process. An attacker can bypass configured HTTP transport restrictions by initiating LFS push or sync mirror operations, allowing unauthorized network requests to be made outside o...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the LFS object reuse process. An attacker can gain unauthorized access to private source objects by leveraging repository access without having the required Code-unit permissions...
CVE-2026-58423
The CVE-2026-58423 entry concerns Gitea’s LFS authentication: a malformed SSH sub-verb allows unauthorized read access to private repositories. The issue is described as an authentication bypass that can enable read access without credentials, affecting LFS handling in affected Gitea deployments....
CVE-2026-28740
CVE-2026-28740 affects Gitea up to version 1.26.2. The issue allows Git LFS object reuse to authorize private source objects for users with repository access but without Code-unit access (root cause: LFS object reuse bypassing Code-unit authorization). Impact is unauthorized access to private sou...
CVE-2026-26292
Gitea versions before 1.25.5 are affected: LFS push and LFS mirror synchronization do not use the migration HTTP transport, bypassing configured migration transport protections for those requests. This is evidenced by CVE-2026-26292 and corroborated by multiple connected sources (NVD/NIST and thi...
PT-2026-55607
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.3 Description Git LFS Large File Storage object reuse allows users with repository access to authorize private source objects even if they lack Code-unit access. Recommendations Update Gitea to version 1.26.3 or...
PT-2026-55598
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description LFS push and sync mirror operations do not utilize the migration HTTP transport. This behavior allows LFS requests to bypass the configured migration transport protections. Recommendations Update Gite...
git-lfs security update
An update is available for git-lfs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Git Large File Storage LFS replaces large files such as audio samples, videos...
git-lfs security update
An update is available for git-lfs. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Git Large File Storage LFS replaces large files such as audio samples, videos...
RHSA-2026:30855 Red Hat Security Advisory: git-lfs security update
Bulletin has no description...
AlmaLinux 10 : git-lfs (ALSA-2026:30855)
The remote AlmaLinux 10 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2026:30855 advisory. golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing CVE-2026-39821 Tenable has extracted the...
Oracle Linux 9 : git-lfs (ELSA-2026-30854)
The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2026-30854 advisory. - Fix CVE-2026-39821: vendored golang.org/x/net/idna ToUnicode incorrectly accepting all-ASCII xn-- labels Tenable has extracted the preceding description bloc...
Oracle Linux 8 : git-lfs (ELSA-2026-30853)
The remote Oracle Linux 8 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2026-30853 advisory. - Backport CVE-2026-39821 fix vendored golang.org/x/net IDNA Tenable has extracted the preceding description block directly from the Oracle Linux security...
RHEL 10 : git-lfs (RHSA-2026:30855)
The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:30855 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing...
RHSA-2026:30854 Red Hat Security Advisory: git-lfs security update
Bulletin has no description...
Important: Red Hat Security Advisory: git-lfs security update
An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...
Oracle Linux 9 : git-lfs (ELSA-2026-19350)
The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-19350 advisory. 3.7.1-4 - Rebuild with new Golang - Resolves: RHEL-158765, RHEL-166675, RHEL-167677, RHEL-170838 Tenable has extracted the preceding description block...
CLEANSTART-2026-PE03587 Security fixes for CVE-2021-38561, CVE-2022-27191 applied in versions: 3.1.2-r3, 3.1.2-r4
Multiple security vulnerabilities affect the git-lfs package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-RR97166 Security fixes for CVE-2021-38561, CVE-2022-27191 applied in versions: 3.1.2-r3, 3.1.2-r4
Multiple security vulnerabilities affect the git-lfs package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-39821 affecting package git-lfs for versions less than 3.6.1-3
CVE-2026-39821 affecting package git-lfs for versions less than 3.6.1-3. A patched version of the package is available...