CVE-2026-22555
CVE-2026-22555 affects Gitea before 1.26.0. The vulnerability arises because the API endpoint POST /api/v1/repos/{owner}/{repo}/forks does not enforce CanCreateOrgRepo for organization forks, only IsOrgMember, enabling a user in a read-only team to create an org-repo fork. The fork creator gains ...