Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Gitea Open Source Git Server — Vulnerabilities & Security Advisories 50

All 50 CVE vulnerabilities found in Gitea Open Source Git Server, with AI-generated Chinese analysis, references, and POCs.

This page documents Common Weakness Enumerations associated with the Gitea open source git server product. It aggregates vulnerability data to provide a comprehensive view of security issues impacting this specific self-hosted code hosting platform. The content on this page collects reports from various sources, tracking known weaknesses that affect the stability and security of Gitea instances. The time range covered includes all recorded incidents from the product's inception through the most recent public disclosures, ensuring a historical perspective on how the software has evolved in response to security challenges. This chronological approach allows administrators and developers to see not only current risks but also the context of past remediation efforts. Visitors to this aggregation page can discover detailed insights into the security posture of the Gitea ecosystem. You can track a vendor's advisories as they are released, understanding the timeline and severity of reported issues. Furthermore, this resource enables users to understand a weakness class by observing how specific vulnerabilities manifest in the context of git server operations. It also allows you to look up a product's vulnerability history, helping you assess the long-term maintenance quality and patch responsiveness of the Gitea project. By centralizing this information, the page serves as a critical reference for security teams evaluating Gitea for deployment or conducting ongoing risk assessments.

Vendor: Gitea

CVE IDTitleCVSSSeverityPublished
CVE-2026-58426 Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write CWE-347 9.6 Critical2026-07-03
CVE-2026-58423 LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories CWE-287 7.7 High2026-07-03
CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass CWE-285 8.9 High2026-07-03
CVE-2026-58422 Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts CWE-284--2026-07-03
CVE-2026-58419 Notification API leaks private issue metadata after access revocation CWE-200--2026-07-03
CVE-2026-58421 Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service CWE-284--2026-07-03
CVE-2026-58418 SSRF via HTTP Redirect in Repository Migration CWE-918 6.5 Medium2026-07-03
CVE-2026-28740 Gitea LFS object reuse bypasses Code-unit authorization CWE-639 7.1 High2026-07-03
CVE-2026-28744 Gitea Git smart HTTP bypasses repository token scopes for bearer tokens CWE-863 8.1 High2026-07-03
CVE-2026-28737 Gitea 3D file viewer allows stored XSS through glTF extensionsRequired CWE-79 8.7 High2026-07-03
CVE-2026-28699 Gitea Basic Auth bypasses OAuth2 access token scopes CWE-284 8.1 High2026-07-03
CVE-2026-28705 Gitea repository dumps write release assets using unsafe path names CWE-22--2026-07-03
CVE-2026-27780 Gitea pre-receive hook can miss branch-protection checks after scanner errors CWE-863--2026-07-03
CVE-2026-27779 Gitea forwarded-proto handling allows public URL spoofing CWE-284--2026-07-03
CVE-2026-27783 Gitea issue-template APIs bypass repository unit authorization CWE-862 4.3 Medium2026-07-03
CVE-2026-27771 Gitea Composer package source links use insufficient permission checks CWE-862--2026-07-03
CVE-2026-27775 Gitea pre-receive hook permission cache allows full repository write access CWE-863--2026-07-03
CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement CWE-863 4.3 Medium2026-07-03
CVE-2026-27657 Gitea email settings allow changing another user's primary email address CWE-639--2026-07-03
CVE-2026-27660 Gitea draft releases use insufficient permission checks CWE-284--2026-07-03
CVE-2026-26307 Gitea git grep search lacks a timeout CWE-400--2026-07-03
CVE-2026-26292 Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions CWE-284--2026-07-03
CVE-2026-26247 Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange CWE-284--2026-07-03
CVE-2026-26232 Gitea OAuth2 authorization codes lack expiry and reuse enforcement CWE-294--2026-07-03
CVE-2026-26231 Gitea maintainer-edit permissions allow unauthorized commits to readable repositories CWE-863 8.5 High2026-07-03
CVE-2026-25782 Gitea tracked-time deletion can target entries from another issue CWE-639--2026-07-03
CVE-2026-25718 Gitea template repository generation mishandles symlinked paths CWE-59--2026-07-03
CVE-2026-25714 Gitea user organization API bypasses public-only token filtering CWE-862 4.3 Medium2026-07-03
CVE-2026-25779 Gitea redirect handling permits open redirects through backslash paths CWE-601--2026-07-03
CVE-2026-24690 Gitea pull-request branch updates use insufficient permission checks CWE-284--2026-07-03

All 50 known CVE vulnerabilities affecting Gitea Open Source Git Server with full Chinese analysis, references, and POCs where available.