| ベンダー | プロダクト | Version Range | ステータス |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server | ≤ 1.26.2 | affected |
高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| Gitea | Gitea Open Source Git Server | 0 ~ 1.26.2 | - |
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
公開POCは見つかりませんでした。
ログインしてAI POCを生成| CVE-2026-20896 | 9.8 CRITICAL | Gitea Docker image trusts spoofable reverse-proxy headers by default |
| CVE-2026-58426 | 9.6 CRITICAL | Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read |
| CVE-2026-22874 | 9.6 CRITICAL | Gitea webhook and migration allow-list filtering permits SSRF |
| CVE-2026-58424 | 8.9 HIGH | Permanent Fork PR Workflow Approval Gate Bypass |
| CVE-2026-28737 | 8.7 HIGH | Gitea 3D file viewer allows stored XSS through glTF extensionsRequired |
| CVE-2026-26231 | 8.5 HIGH | Gitea maintainer-edit permissions allow unauthorized commits to readable repositories |
| CVE-2026-28699 | 8.1 HIGH | Gitea Basic Auth bypasses OAuth2 access token scopes |
| CVE-2026-28744 | 8.1 HIGH | Gitea Git smart HTTP bypasses repository token scopes for bearer tokens |
| CVE-2026-22555 | 8.1 HIGH | Gitea organization forks can expose organization secrets without create permission |
| CVE-2026-58423 | 7.7 HIGH | LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to pr |
| CVE-2026-28740 | 7.1 HIGH | Gitea LFS object reuse bypasses Code-unit authorization |
| CVE-2026-20779 | 7.1 HIGH | Gitea TOTP single-use enforcement defect allows OTP replay |
| CVE-2026-58418 | 6.5 MEDIUM | SSRF via HTTP Redirect in Repository Migration |
| CVE-2026-27783 | 4.3 MEDIUM | Gitea issue-template APIs bypass repository unit authorization |
| CVE-2026-25714 | 4.3 MEDIUM | Gitea user organization API bypasses public-only token filtering |
| CVE-2026-20706 | Gitea repository archive downloads bypass token scope checks | |
| CVE-2026-20909 | Gitea tracked-time list endpoint has insufficient permission checks | |
| CVE-2026-58421 | Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service | |
| CVE-2026-58419 | Notification API leaks private issue metadata after access revocation | |
| CVE-2026-28705 | Gitea repository dumps write release assets using unsafe path names |
Showing 20 of 40 CVEs. View all on vendor page →
まだコメントはありません