CVE-2026-20912

< 1.25.4

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private re

9.1CRITICAL

CVE-2026-20904

< 1.25.4

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the vi

6.5MEDIUM

CVE-2026-20897

< 1.25.4

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may

9.1CRITICAL

CVE-2026-20888

< 1.25.4

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access t

4.3MEDIUM

CVE-2026-20883

< 1.25.4

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked

6.5MEDIUM

CVE-2026-20800

< 1.25.4

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's ac

6.5MEDIUM

CVE-2026-20750

< 1.25.4

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one org

9.1CRITICAL

CVE-2026-20736

< 1.25.4

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a rep

7.5HIGH

CVE-2026-0798

< 1.25.4

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is c

3.5LOW

CVE-2025-69413

< 1.25.2

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

5.3MEDIUM

CVE-2025-68946

< 1.20.1

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

5.4MEDIUM

CVE-2025-68945

< 1.21.2

In Gitea before 1.21.2, an anonymous user can visit a private user's project.

5.8MEDIUM

CVE-2025-68944

< 1.22.2

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registrie

5.0MEDIUM

CVE-2025-68943

< 1.21.8

Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort orde

5.3MEDIUM

CVE-2025-68942

< 1.22.2

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

5.4MEDIUM

CVE-2025-68941

< 1.22.3

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

4.9MEDIUM

CVE-2025-68940

< 1.22.5

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

3.1LOW

CVE-2025-68939

< 1.23.0

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attach

8.2HIGH

CVE-2025-68938

< 1.25.2

Gitea before 1.25.2 mishandles authorization for deletion of releases.

4.3MEDIUM

CVE-2022-38795

<= 1.17.1

In Gitea through 1.17.1, repo cloning can occur in the migration function.

6.5MEDIUM

CVE-2023-3515

< 1.19.4

Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.

4.4MEDIUM

CVE-2022-46685

< 1.4.5

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking,

4.3MEDIUM

CVE-2022-42968

< 1.17.3

Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.

9.8CRITICAL

CVE-2022-38183

< 1.16.9

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker

6.5MEDIUM

CVE-2022-1928

< 1.16.9

Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

5.4MEDIUM

CVE-2022-30781

< 1.16.7

Gitea before 1.16.7 does not escape git fetch remote.

7.5HIGH

CVE-2022-27313

all versions

An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the con

7.5HIGH

CVE-2022-1058

< 1.16.5

Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.

6.1MEDIUM

CVE-2021-29134

< 1.13.6

The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.

5.3MEDIUM

CVE-2022-0905

< 1.16.4

Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.

7.1HIGH

CVE-2021-45331

< 1.5.0

An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured

9.8CRITICAL

CVE-2021-45330

<= 1.15.7

An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being del

9.8CRITICAL

CVE-2021-45329

< 1.5.1

Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue t

6.1MEDIUM

CVE-2021-45328

< 1.4.3

Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.

6.1MEDIUM

CVE-2021-45327

< 1.11.2

Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or us

9.8CRITICAL

CVE-2021-45326

< 1.5.2

Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with

8.8HIGH

CVE-2021-45325

< 1.7.0

Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.

7.5HIGH

CVE-2021-28378

>= 1.12.0 and <= 1.12.6

Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.

3.7LOW

CVE-2021-3382

>= 1.9.0 and <= 1.13.1

Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via

7.5HIGH

CVE-2020-28991

>= 0.9.99 and < 1.12.6

Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains

9.8CRITICAL

CVE-2020-14144

>= 1.1.0 and <= 1.12.5

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments wh

7.2HIGH

CVE-2020-13246

<= 1.11.5

An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's own

7.5HIGH

CVE-2019-1010261

<= 1.7.0

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitra

6.1MEDIUM

CVE-2019-1010314

all versions

Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vul

6.1MEDIUM

CVE-2019-10330

<= 1.1.1

Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git re

7.5HIGH

CVE-2019-11576

< 1.8.0

Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an att

9.8CRITICAL

CVE-2019-11229

< 1.7.6

models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code e

8.8HIGH

CVE-2019-11228

< 1.7.6

repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress

7.5HIGH

CVE-2019-1000002

<= 1.6.2

Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can resu

6.5MEDIUM

CVE-2018-18926

< 1.5.4

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID h

9.8CRITICAL

CVE-2018-1000803

< 1.5.1

Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses

5.3MEDIUM

CVE-2018-15192

< 1.5.0

An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet s

8.6HIGH