CVE-2022-31268

CVE-2022-31268 affects Gitblit 1.9.3 via a path traversal / local file inclusion flaw exposed at the path /resources//../ (e.g., following by WEB-INF or META-INF). The incident enables reading website files on the server. Public sources in connected documents also describe risk of unauthorized fi...

CVE-2022-31267

CVE-2022-31267 affects Gitblit 1.9.2. The issue is privilege escalation via the Config User Service: a control character (for example, in an emailAddress field with a newline/tab) can be interpreted to set role = "#admin". NVD cites CVSSv2/3.1 base scores of 7.5 (HIGH) and 9.8 (CRITICAL). Rationa...

CVE-2025-50978

Gitblit v1.7.1 is affected by a reflected XSS in repository path handling caused by insufficient input sanitization of filename elements. An attacker can inject a crafted path payload to execute arbitrary JavaScript when a victim views the manipulated URL. The available connected sources confirm ...

CVE-2025-50977

Gitblit (version 1.7.1) contains a template injection vulnerability that enables reflected XSS via the r parameter. Exploitation requires authenticated admin access and can be triggered through GET requests to the /summary endpoint or POST requests to certain Wicket interfaces, enabling injection...