gitea 漏洞与 CVE 列表(52)

产品(CPE): — CVE 数: 52

gitea 漏洞概览

汇总 gitea 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。

已披露问题常与 跨站脚本、SSRF与开放重定向 相关,可能在 生产负载与软件部署 场景中带来 内存损坏与应用崩溃 等暴露风险。

相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。

漏洞分布趋势(近 24 个月)

显示 12052 CVE 数
«« 第一页 « 上一页 第 1 / 3 页 下一页 »
CVE 摘要 来源 最高 CVSS EPSS % 公开时间 更新时间
CVE-2026-20912 Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. 88ee5874-cf24-4952-aea0-31affedb7ff2 9.1 0.37% 2026-01-22 2026-07-14
CVE-2026-20904 Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. 88ee5874-cf24-4952-aea0-31affedb7ff2 6.5 0.28% 2026-01-22 2026-06-17
CVE-2026-20897 Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. 88ee5874-cf24-4952-aea0-31affedb7ff2 9.1 0.37% 2026-01-22 2026-07-14
CVE-2026-20888 Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. 88ee5874-cf24-4952-aea0-31affedb7ff2 4.3 0.30% 2026-01-22 2026-06-17
CVE-2026-20883 Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. 88ee5874-cf24-4952-aea0-31affedb7ff2 6.5 0.33% 2026-01-22 2026-06-17
CVE-2026-20800 Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. 88ee5874-cf24-4952-aea0-31affedb7ff2 6.5 0.34% 2026-01-22 2026-06-17
CVE-2026-20750 Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. 88ee5874-cf24-4952-aea0-31affedb7ff2 9.1 0.39% 2026-01-22 2026-07-14
CVE-2026-20736 Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. 88ee5874-cf24-4952-aea0-31affedb7ff2 7.5 0.36% 2026-01-22 2026-07-14
CVE-2026-0798 Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. 88ee5874-cf24-4952-aea0-31affedb7ff2 3.5 0.24% 2026-01-22 2026-06-17
CVE-2025-69413 In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. [email protected] 5.3 0.36% 2026-01-01 2026-06-17
CVE-2025-68946 In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. [email protected] 5.4 0.22% 2025-12-26 2026-06-17
CVE-2025-68945 In Gitea before 1.21.2, an anonymous user can visit a private user's project. [email protected] 5.8 0.33% 2025-12-25 2026-06-17
CVE-2025-68944 Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. [email protected] 5.0 0.25% 2025-12-25 2026-06-17
CVE-2025-68943 Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. [email protected] 5.3 0.33% 2025-12-25 2026-06-17
CVE-2025-68942 Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. [email protected] 5.4 0.22% 2025-12-25 2026-06-17
CVE-2025-68941 Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. [email protected] 4.9 0.24% 2025-12-25 2026-06-17
CVE-2025-68940 In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. [email protected] 3.1 0.25% 2025-12-25 2026-06-17
CVE-2025-68939 Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. [email protected] 8.2 0.29% 2025-12-25 2026-06-17
CVE-2025-68938 Gitea before 1.25.2 mishandles authorization for deletion of releases. [email protected] 4.3 0.35% 2025-12-25 2026-06-17
CVE-2022-38795 In Gitea through 1.17.1, repo cloning can occur in the migration function. [email protected] 6.5 0.46% 2023-08-07 2026-06-17
«« 第一页 « 上一页 第 1 / 3 页 下一页 »
cvelogic Threat Intelligence