Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68944

**Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-f85h-c7m6-cfpm: Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries

Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68943

**Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.21.8

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-jhx5-4vr4-f327: Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68946

**Gitea vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.20.1

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-hq57-c72x-4774: Gitea vulnerable to Cross-site Scripting

In Gitea before 1.21.2, an anonymous user can visit a private user's project.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68945

**Gitea: anonymous user can visit private user's project**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.21.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-7xq4-mwcp-q8fx: Gitea: anonymous user can visit private user's project

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68942

**Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-898p-hh3p-hf9r: Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68941

**Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.3

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-xfq3-qj7j-4565: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68940

**Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.**

Low severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.5

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-rrcw-5rjv-vj26: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68939

**Gitea allows attackers to add attachments with forbidden file extensions**

High severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.23.0

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-263q-5cv3-xq9g: Gitea allows attackers to add attachments with forbidden file extensions

Gitea before 1.25.2 mishandles authorization for deletion of releases.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68938

**Gitea mishandles authorization for deletion of releases**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.25.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-cm54-pfmc-xrwx: Gitea mishandles authorization for deletion of releases

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use.
This week’s findings show a pattern: precision, patience, and persuasion. The

Latest News