code.gitea.io/gitea (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package code.gitea.io/gitea, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (52)
CVE-2024-6886: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git…
CVE-2021-45330 — CVSS 9.8 (critical): An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and…
CVE-2019-11576 — CVSS 9.8 (critical): Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker…
CVE-2022-42968 — CVSS 9.8 (critical): Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
CVE-2018-18926 — CVSS 9.8 (critical): Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling…
CVE-2021-45331 — CVSS 9.8 (critical): An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the…
CVE-2021-45327 — CVSS 9.8 (critical): Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API…
CVE-2026-20750 — CVSS 9.1 (critical): Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization…
CVE-2026-20706 — CVSS 9.1 (critical): Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download…
CVE-2026-20912 — CVSS 9.1 (critical): Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository…
CVE-2026-20897 — CVSS 9.1 (critical): Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able…
CVE-2026-28737 — CVSS 8.7 (high): Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by…
CVE-2018-15192 — CVSS 8.6 (high): An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.
CVE-2026-26231 — CVSS 8.5 (high): Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that…
CVE-2025-68939 — CVSS 8.2 (high): Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
CVE-2026-28699 — CVSS 8.1 (high): Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
CVE-2026-22555 — CVSS 8.1 (high): Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check…
CVE-2026-28744 — CVSS 8.1 (high): Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope…
CVE-2026-20736 — CVSS 7.5 (high): Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository…
CVE-2021-3382 — CVSS 7.5 (high): Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors…
CVE-2022-27313 — CVSS 7.5 (high): An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the…
CVE-2020-13246 — CVSS 7.5 (high): An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership…
CVE-2020-14144 — CVSS 7.2 (high): The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the…
CVE-2026-20883 — CVSS 6.5 (medium): Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they…
CVE-2019-1000002 — CVSS 6.5 (medium): Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the…
CVE-2022-38183 — CVSS 6.5 (medium): In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could…
CVE-2026-20800 — CVSS 6.5 (medium): Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a…
CVE-2026-20904 — CVSS 6.5 (medium): Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility…
CVE-2026-25779 — CVSS 6.1 (medium): Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values.
CVE-2019-1010314 — CVSS 6.1 (medium): Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable…
CVE-2019-1010261 — CVSS 6.1 (medium): Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in…
CVE-2025-68942 — CVSS 5.4 (medium): Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
CVE-2025-68943 — CVSS 5.3 (medium): Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
CVE-2025-69413 — CVSS 5.3 (medium): In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
CVE-2025-68944 — CVSS 5.0 (medium): Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
CVE-2025-68941 — CVSS 4.9 (medium): Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
CVE-2026-25714 — CVSS 4.3 (medium): Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an…
CVE-2026-27783 — CVSS 4.3 (medium): Gitea versions up to and including 1.26.1 do not enforce repository-unit authorization on issue-template API endpoints.
CVE-2026-20888 — CVSS 4.3 (medium): Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull…
CVE-2021-28378 — CVSS 3.7 (low): Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
CVE-2026-0798 — CVSS 3.5 (low): Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed…
CVE-2025-68940 — CVSS 3.1 (low): In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.