13 matches found
PT-2026-22081
Name of the Vulnerable Software and Affected Versions OpenLIT versions prior to 1.37.1 Description OpenLIT, an open source AI engineering platform, has an issue in GitHub Actions workflows prior to version 1.37.1. These workflows use the pull request target event and execute untrusted code from...
SUSE CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. Mitigation Mitigation for...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper verification of repository context during the deletion process. An attacker can remove attachments they previously uploaded to a repository, even after losing access to that...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper verification of repository context during the deletion process. An attacker can remove attachments they previously uploaded to a repository, even after losing access to that...
Gitea has improper access control for uploaded attachments
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
GHSA-HGR3-X44X-33HX Gitea has improper access control for uploaded attachments
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736 Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...
CVE-2026-20736
Summary: CVE-2026-20736 affects Gitea. The issue is improper access control when deleting attachments: a user who previously uploaded an attachment may delete it after losing repo access by performing the request through a different accessible repository. Affected component: attachment deletion l...
Apache Maven -- multiple vulnerabilities
The Apache Maven project reports: We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues: Possible Man-In-The-Middle-Attack due to custom repositories using HTTP. More and more repositories use...