github.com/go-gitea/gitea (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/go-gitea/gitea, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (20)
CVE-2022-42968 — CVSS 9.8 (critical): Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
CVE-2020-28991 — CVSS 9.8 (critical): Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines…
CVE-2021-45327 — CVSS 9.8 (critical): Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API…
CVE-2026-20912 — CVSS 9.1 (critical): Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository…
CVE-2026-20897 — CVSS 9.1 (critical): Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able…
CVE-2026-20750 — CVSS 9.1 (critical): Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization…
CVE-2021-45326 — CVSS 8.8 (high): Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state…
CVE-2019-11229 — CVSS 8.8 (high): models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.
CVE-2020-13246 — CVSS 7.5 (high): An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership…
CVE-2019-11228 — CVSS 7.5 (high): repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress.
CVE-2021-3382 — CVSS 7.5 (high): Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors…
CVE-2021-45325 — CVSS 7.5 (high): Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.
CVE-2026-20904 — CVSS 6.5 (medium): Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility…
CVE-2026-20883 — CVSS 6.5 (medium): Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they…
CVE-2026-20800 — CVSS 6.5 (medium): Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a…
CVE-2026-25779 — CVSS 6.1 (medium): Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values.
CVE-2021-45328 — CVSS 6.1 (medium): Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
CVE-2021-45329 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker…
CVE-2018-1000803 — CVSS 5.3 (medium): Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This…
CVE-2026-20888 — CVSS 4.3 (medium): Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull…