CVE-2025-68937
CVE-2025-68937 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-61.
Key facts
- Severity: Critical (CVSS 4.0 base score 9.5)
- EPSS exploit prediction: 0% (39th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-205401
- Weakness: CWE-61
- Published:
- Last modified:
Description
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Frequently asked questions
- What is CVE-2025-68937?
- Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
- How severe is CVE-2025-68937?
- CVE-2025-68937 has a CVSS 4.0 base score of 9.5, rated critical severity.
- Is CVE-2025-68937 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (39th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-68937?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2025-68937 have an EU (EUVD) identifier?
- Yes. CVE-2025-68937 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-205401.
- When was CVE-2025-68937 published?
- CVE-2025-68937 was published on 2025-12-26 and last updated on 2026-06-17.
References
- https://blog.gitea.com/release-of-1.24.7/
- https://codeberg.org/forgejo/forgejo/milestone/27340
- https://codeberg.org/forgejo/forgejo/milestone/29156
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md
- https://codeberg.org/forgejo/security-announcements/issues/43
Other CWE-61 vulnerabilities
- CVE-2026-34078 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths…
- CVE-2025-62596 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs…
- CVE-2025-62161 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source…
- CVE-2025-23394 — Critical (CVSS 9.8): A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus…
- CVE-2024-54661 — Critical (CVSS 9.8): readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.
- CVE-2026-55447 — Critical (CVSS 9.6): Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files…