This page lists publicly disclosed CVE vulnerabilities affecting redhat pagure (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-4982 | A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server. | [email protected] | 7.6 | 0.22% | 2025-05-12 | 2025-08-07 |
| CVE-2024-4981 | A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo. | [email protected] | 7.6 | 0.07% | 2025-05-12 | 2025-08-07 |
| CVE-2019-11556 | Pagure before 5.6 allows XSS via the templates/blame.html blame view. | [email protected] | 6.1 | 0.59% | 2020-09-25 | 2024-11-21 |
| CVE-2016-1000037 | Pagure: XSS possible in file attachment endpoint | [email protected] | 6.1 | 0.41% | 2019-11-06 | 2024-11-21 |
| CVE-2019-7628 | Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) | [email protected] | 5.9 | 0.17% | 2019-02-08 | 2024-11-21 |
| CVE-2017-1002151 | Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization | [email protected] | 7.5 | 0.28% | 2017-09-14 | 2026-05-13 |
| CVE-2016-1000007 | Pagure 2.2.1 XSS in raw file endpoint | [email protected] | 6.1 | 0.24% | 2016-10-07 | 2026-05-06 |