gitea 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk ssrf, and vendor risk open redirect に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact memory corruption and アプリケーションクラッシュ などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-20912 | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 9.1 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20904 | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 6.5 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20897 | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 9.1 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20888 | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 4.3 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20883 | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 6.5 | 0.01% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20800 | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 6.5 | 0.01% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20750 | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 9.1 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-20736 | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 7.5 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2026-0798 | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | 88ee5874-cf24-4952-aea0-31affedb7ff2 | 3.5 | 0.02% | 2026-01-22 | 2026-01-29 |
| CVE-2025-69413 | In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | [email protected] | 5.3 | 0.03% | 2026-01-01 | 2026-01-06 |
| CVE-2025-68946 | In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | [email protected] | 5.4 | 0.03% | 2025-12-26 | 2025-12-31 |
| CVE-2025-68945 | In Gitea before 1.21.2, an anonymous user can visit a private user's project. | [email protected] | 5.8 | 0.03% | 2025-12-26 | 2025-12-31 |
| CVE-2025-68944 | Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. | [email protected] | 5.0 | 0.03% | 2025-12-26 | 2025-12-31 |
| CVE-2025-68943 | Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. | [email protected] | 5.3 | 0.03% | 2025-12-26 | 2025-12-31 |
| CVE-2025-68942 | Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | [email protected] | 5.4 | 0.03% | 2025-12-26 | 2026-01-02 |
| CVE-2025-68941 | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | [email protected] | 4.9 | 0.03% | 2025-12-26 | 2026-01-02 |
| CVE-2025-68940 | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | [email protected] | 3.1 | 0.02% | 2025-12-26 | 2026-01-02 |
| CVE-2025-68939 | Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. | [email protected] | 8.2 | 0.04% | 2025-12-26 | 2026-01-02 |
| CVE-2025-68938 | Gitea before 1.25.2 mishandles authorization for deletion of releases. | [email protected] | 4.3 | 0.03% | 2025-12-26 | 2026-01-02 |
| CVE-2022-38795 | In Gitea through 1.17.1, repo cloning can occur in the migration function. | [email protected] | 6.5 | 0.36% | 2023-08-07 | 2024-11-21 |