Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Gitea — Vulnerabilities & Security Advisories 63

Browse all 63 CVE security advisories affecting Gitea. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Gitea is a lightweight, self-hosted Git service designed to provide version control and collaboration features similar to GitHub or GitLab. Its architecture prioritizes ease of deployment and low resource consumption, making it popular among small to medium-sized organizations seeking an alternative to heavier platforms. Historically, security audits have identified several critical vulnerability classes within the codebase, including remote code execution (RCE), cross-site scripting (XSS), and privilege escalation flaws. These issues often stem from improper input validation or insufficient access controls in specific endpoints. While no massive, widespread breaches have defined its public history, the presence of twenty-two recorded CVEs indicates a pattern of discrete security defects that require diligent patching. The project’s open-source nature allows for community-driven scrutiny, yet the frequency of these findings underscores the necessity for rigorous code review and timely updates to maintain a secure development environment.

CVE IDTitleCVSSSeverityPublished
CVE-2026-58426 Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write — Gitea Open Source Git ServerCWE-347 9.6 Critical2026-07-03
CVE-2026-58423 LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories — Gitea Open Source Git ServerCWE-287 7.7 High2026-07-03
CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass — Gitea Open Source Git ServerCWE-285 8.9 High2026-07-03
CVE-2026-58422 Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-58419 Notification API leaks private issue metadata after access revocation — Gitea Open Source Git ServerCWE-200--2026-07-03
CVE-2026-58421 Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-58418 SSRF via HTTP Redirect in Repository Migration — Gitea Open Source Git ServerCWE-918 6.5 Medium2026-07-03
CVE-2026-28740 Gitea LFS object reuse bypasses Code-unit authorization — Gitea Open Source Git ServerCWE-639 7.1 High2026-07-03
CVE-2026-28744 Gitea Git smart HTTP bypasses repository token scopes for bearer tokens — Gitea Open Source Git ServerCWE-863 8.1 High2026-07-03
CVE-2026-28737 Gitea 3D file viewer allows stored XSS through glTF extensionsRequired — Gitea Open Source Git ServerCWE-79 8.7 High2026-07-03
CVE-2026-28699 Gitea Basic Auth bypasses OAuth2 access token scopes — Gitea Open Source Git ServerCWE-284 8.1 High2026-07-03
CVE-2026-28705 Gitea repository dumps write release assets using unsafe path names — Gitea Open Source Git ServerCWE-22--2026-07-03
CVE-2026-27783 Gitea issue-template APIs bypass repository unit authorization — Gitea Open Source Git ServerCWE-862 4.3 Medium2026-07-03
CVE-2026-27779 Gitea forwarded-proto handling allows public URL spoofing — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-27780 Gitea pre-receive hook can miss branch-protection checks after scanner errors — Gitea Open Source Git ServerCWE-863--2026-07-03
CVE-2026-27771 Gitea Composer package source links use insufficient permission checks — Gitea Open Source Git ServerCWE-862--2026-07-03
CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement — Gitea Open Source Git ServerCWE-863 4.3 Medium2026-07-03
CVE-2026-27775 Gitea pre-receive hook permission cache allows full repository write access — Gitea Open Source Git ServerCWE-863--2026-07-03
CVE-2026-27660 Gitea draft releases use insufficient permission checks — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-27657 Gitea email settings allow changing another user's primary email address — Gitea Open Source Git ServerCWE-639--2026-07-03
CVE-2026-26307 Gitea git grep search lacks a timeout — Gitea Open Source Git ServerCWE-400--2026-07-03
CVE-2026-26292 Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-26247 Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange — Gitea Open Source Git ServerCWE-284--2026-07-03
CVE-2026-26231 Gitea maintainer-edit permissions allow unauthorized commits to readable repositories — Gitea Open Source Git ServerCWE-863 8.5 High2026-07-03
CVE-2026-25782 Gitea tracked-time deletion can target entries from another issue — Gitea Open Source Git ServerCWE-639--2026-07-03
CVE-2026-26232 Gitea OAuth2 authorization codes lack expiry and reuse enforcement — Gitea Open Source Git ServerCWE-294--2026-07-03
CVE-2026-25714 Gitea user organization API bypasses public-only token filtering — Gitea Open Source Git ServerCWE-862 4.3 Medium2026-07-03
CVE-2026-25718 Gitea template repository generation mishandles symlinked paths — Gitea Open Source Git ServerCWE-59--2026-07-03
CVE-2026-25779 Gitea redirect handling permits open redirects through backslash paths — Gitea Open Source Git ServerCWE-601--2026-07-03
CVE-2026-24690 Gitea pull-request branch updates use insufficient permission checks — Gitea Open Source Git ServerCWE-284--2026-07-03

This page lists every published CVE security advisory associated with Gitea. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.