Lucene search
K

12 matches found

NVD
NVD
added 5 days ago3 views

CVE-2026-27761

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...

4.3CVSS0.00367EPSS
Exploits0References4
NVD
NVD
added 5 days ago4 views

CVE-2026-20706

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...

9.1CVSS0.00403EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-28699

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...

8.1CVSS5.8AI score0.00566EPSS
Exploits1References5
Cvelist
Cvelist
added 5 days ago37 views

CVE-2026-28699 Gitea Basic Auth bypasses OAuth2 access token scopes

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...

8.1CVSS0.00566EPSS
Exploits1References4
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...

4.3CVSS0.00367EPSS
Exploits0References4
CVE
CVE
added 5 days ago17 views

CVE-2026-27761

Gitea versions up to and including 1.26.2 expose private repository commit data via RSS/Atom feed endpoints by bypassing API access token scope checks. This affects feeds that do not enforce repository scope, allowing tokens without repository scope to access private data. Public references indic...

4.3CVSS7.1AI score0.00367EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5334 Gitea: Token scope bypass on web archive download endpoint in code.gitea.io/gitea

Gitea: Token scope bypass on web archive download endpoint in code.gitea.io/gitea...

9.1CVSS5.8AI score0.00403EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50584

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.2 Description Authenticated self routes under the /api/v1/user/... group do not properly enforce the public-only token restriction. This allows a token or OAuth grant marked as public-only to access or modify priva...

8.1CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.25 views

PT-2026-50138

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.1 Description In the Git Smart HTTP path, the system fails to enforce repository-scoped access-token permissions when tokens are provided via Bearer authentication. While the CheckRepoScopedToken function is design...

8.1CVSS5.9AI score0.00343EPSS
Exploits0References10
NVD
NVD
added 2026/04/10 5:17 p.m.5 views

CVE-2026-40103

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

5.4CVSS0.00222EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/10 4:12 p.m.2 views

CVE-2026-40103 Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

4.3CVSS5.8AI score0.00222EPSS
Exploits1References4
CVE
CVE
added 2026/01/08 1:44 p.m.27 views

CVE-2025-14025

CVE-2025-14025 affects Red Hat Ansible Automation Platform (AAP) where read-only OAuth2 tokens bypass gateway write restrictions, enabling write operations to backend services (Controller, Hub, EDA) limited only by RBAC. The issue is fixed via Red Hat advisories RHSA-2026:0360/0361, which note a ...

8.5CVSS6.2AI score0.00389EPSS
Exploits0References7
Rows per page
Query Builder