Lucene search
+L

36149 matches found

Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...

6.9CVSS6AI score0.0044EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...

6.9CVSS6AI score0.0044EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Watch API handler. An attacker can gain unauthorized access to private repository activity by exploiting an inverted access check, allowing them to monitor commit messages, branch names, issue titles, and...

5.3CVSS6AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Watch API handler. An attacker can gain unauthorized access to private repository activity by exploiting an inverted access check, allowing them to monitor commit messages, branch names, issue titles, and...

5.3CVSS6AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.4 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...

8.7CVSS6AI score0.00864EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.6 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...

8.7CVSS6AI score0.00864EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.4 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...

8.7CVSS6AI score0.00864EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...

8.7CVSS6AI score0.00864EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.6 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the RenderIssueIndexPattern process. An attacker can cause a panic and disrupt service availability by configuring a specially crafted issue index pattern containi...

5.1CVSS6AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.4 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the RenderIssueIndexPattern process. An attacker can cause a panic and disrupt service availability by configuring a specially crafted issue index pattern containi...

5.1CVSS6AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...

8.8CVSS7.2AI score0.00402EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...

8.8CVSS7.2AI score0.00402EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...

8.8CVSS6AI score0.00402EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...

8.8CVSS6AI score0.00402EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the organization team member management process due to the lack of CSRF protection on GET requests. An attacker can gain organization owner–equivalent privileges by tricking a logged-in organization...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the organization team member management process due to the lack of CSRF protection on GET requests. An attacker can gain organization owner–equivalent privileges by tricking a logged-in organization...

8.8CVSS6AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade github.com/gogs/gogs/internal/form to...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade github.com/gogs/gogs/internal/route/repo ...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/form to version...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/route/api/v1/repo t...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:17 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/route/repo to versi...

8.1CVSS6AI score0.00569EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.6 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the redirectto parameter. An attacker can redirect users to arbitrary external sites by crafting URLs that bypass validation in the IsSameSite function, which only inspects the first two characters of the URL string an...

5.4CVSS6.1AI score0.00554EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.3 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the redirectto parameter. An attacker can redirect users to arbitrary external sites by crafting URLs that bypass validation in the IsSameSite function, which only inspects the first two characters of the URL string an...

5.4CVSS6.1AI score0.00554EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the repository migration process. An attacker can access internal resources and exfiltrate sensitive repository contents by submitting a crafted URL that redirects to an internal endpoint during...

8.7CVSS6AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the repository migration process. An attacker can access internal resources and exfiltrate sensitive repository contents by submitting a crafted URL that redirects to an internal endpoint during...

8.7CVSS6AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the repository migration process. An attacker can access internal resources and exfiltrate sensitive repository contents by submitting a crafted URL that redirects to an internal endpoint during...

8.7CVSS6AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the repository migration process. An attacker can access internal resources and exfiltrate sensitive repository contents by submitting a crafted URL that redirects to an internal endpoint during...

8.7CVSS6AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.6 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the git rebase process when handling pull requests with specially crafted branch names that inject the --exec flag. An attacker can execute arbitrary commands on the server by submitting a malicious pull...

9.9CVSS6.2AI score0.01029EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.5 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the git rebase process when handling pull requests with specially crafted branch names that inject the --exec flag. An attacker can execute arbitrary commands on the server by submitting a malicious pull...

9.9CVSS6.2AI score0.01029EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview github.com/gogs/gogs/internal/ssh is a painless self-hosted Git service Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SSH handshake process. An attacker can exhaust available file descriptors and disrupt legitimate...

7.1CVSS6AI score0.00547EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview gogs.io/gogs/internal/ssh is a painless self-hosted Git service Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SSH handshake process. An attacker can exhaust available file descriptors and disrupt legitimate access by...

7.1CVSS6AI score0.00547EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.3 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade...

7CVSS5.8AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade...

7CVSS5.8AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.5 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade...

7CVSS5.8AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade...

7CVSS6AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade gogs.io/gogs/internal/database...

7CVSS6AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the ChangeCollaborationAccessMode function. An attacker can gain owner-level privileges by exploiting an off-by-one error when modifying collaboration access modes. Remediation Upgrade gogs.io/gogs/internal/route/re...

7CVSS6AI score0.00499EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /attachments/:uuid process. An attacker can access sensitive attachment files by sending crafted requests to download attachments from private repositories without proper...

8.7CVSS6AI score0.00422EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:16 p.m.2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /attachments/:uuid process. An attacker can access sensitive attachment files by sending crafted requests to download attachments from private repositories without proper...

8.7CVSS6AI score0.00422EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /-/api/sanitizeipynb endpoint, which fails to properly restrict data URI schemes in Jupyter Notebook sanitization. An attacker can execute arbitrary JavaScript in the context of another user by submittin...

9.3CVSS5.9AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /-/api/sanitizeipynb endpoint, which fails to properly restrict data URI schemes in Jupyter Notebook sanitization. An attacker can execute arbitrary JavaScript in the context of another user by submittin...

9.3CVSS5.9AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the GET /api/v1/orgs/:orgname/teams endpoint, which returns organization team details without requiring authentication. An attacker can access sensitive information such as team IDs, name...

6.9CVSS6AI score0.01553EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the GET /api/v1/orgs/:orgname/teams endpoint, which returns organization team details without requiring authentication. An attacker can access sensitive information such as team IDs, name...

6.9CVSS6AI score0.01553EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /-/api/sanitizeipynb endpoint, which fails to properly restrict data URI schemes in Jupyter Notebook sanitization. An attacker can execute arbitrary JavaScript in the context of another user by submittin...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:15 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /-/api/sanitizeipynb endpoint, which fails to properly restrict data URI schemes in Jupyter Notebook sanitization. An attacker can execute arbitrary JavaScript in the context of another user by submittin...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:0 p.m.8 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:0 p.m.8 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:0 p.m.7 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:0 p.m.8 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Total number of security vulnerabilities36149