109 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the repository feed endpoints. An attacker can access private repository commit data by using API tokens that lack the required repository scope. Remediation Upgrade github.com/go-gitea/gitea/services/convert...
CVE-2026-28699
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...
CVE-2026-27761
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...
CVE-2026-20706
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...
CVE-2026-28744
Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks...
CVE-2026-28744
Gitea
CVE-2026-28699
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...
CVE-2026-28699 Gitea Basic Auth bypasses OAuth2 access token scopes
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...
CVE-2026-27761
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...
CVE-2026-27761
Gitea versions up to and including 1.26.2 expose private repository commit data via RSS/Atom feed endpoints by bypassing API access token scope checks. This affects feeds that do not enforce repository scope, allowing tokens without repository scope to access private data. Public references indic...
CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...
CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...
CVE-2026-20706
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...
CVE-2026-20706 Gitea repository archive downloads bypass token scope checks
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...
CVE-2026-20706
Summary: CVE-2026-20706 affects Gitea up to version 1.26.1, where the web archive download endpoint allowed bypassing token scope checks, enabling access to repository archives beyond a token’s scope. Affected software: Gitea (versions ≤ 1.26.1). Root cause (as described in the sources): The /arc...
PT-2026-55602
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.3 Description Repository RSS and Atom feed endpoints bypass API access token scope checks. This allows tokens that lack the necessary repository scope to access commit data from private repositories. Recommendation...
CVE-2026-14340 An incorrect authorization vulnerability in GitHub Enterprise Server allows issue creation in unrelated public repositories
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...
CVE-2026-14340
GitHub Enterprise Server (GitHub ES) suffers an incorrect authorization vulnerability (CVE-2026-14340) where a user-to-server token scoped to a GitHub App installation could perform write operations on public repositories outside the token’s scope. The root cause is an authorization check that on...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization through the web archive download endpoint. An attacker can access resources beyond their authorized token scope by sending crafted requests to this endpoint. Remediation Upgrade...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization through the web archive download endpoint. An attacker can access resources beyond their authorized token scope by sending crafted requests to this endpoint. Remediation Upgrade...