In Gitea before 1.21.2, an anonymous user can visit a private user's project.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68945

**Gitea: anonymous user can visit private user's project**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.21.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-7xq4-mwcp-q8fx: Gitea: anonymous user can visit private user's project

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68946

**Gitea vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.20.1

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-hq57-c72x-4774: Gitea vulnerable to Cross-site Scripting

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68942

**Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-898p-hh3p-hf9r: Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text

Gitea before 1.25.2 mishandles authorization for deletion of releases.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68938

**Gitea mishandles authorization for deletion of releases**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.25.2

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-cm54-pfmc-xrwx: Gitea mishandles authorization for deletion of releases

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68939

**Gitea allows attackers to add attachments with forbidden file extensions**

High severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.23.0

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-263q-5cv3-xq9g: Gitea allows attackers to add attachments with forbidden file extensions

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68941

**Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources**

Moderate severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.3

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-xfq3-qj7j-4565: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-68940

**Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.**

Low severity GitHub Reviewed Published Dec 26, 2025 to the GitHub Advisory Database • Updated Dec 26, 2025

**Package**

gomod code.gitea.io/gitea (Go)

**Affected versions**

< 1.22.5

**Description**

Published to the GitHub Advisory Database

Dec 26, 2025

Last updated

Dec 26, 2025

**EPSS score**

GHSA-rrcw-5rjv-vj26: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use.
This week’s findings show a pattern: precision, patience, and persuasion. The

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs.
The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the

Data Breach / Financial Crime

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs.

The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October.

This assessment is "based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps," it added.

LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.

Earlier this month, the password management service was fined $1.6 million by the U.K. Information Commissioner's Office (ICO) for failing to implement sufficiently robust technical and security measures to prevent the incident.

The breach also prompted the company to issue a warning at the time, stating bad actors may use brute-force techniques to guess the master passwords and decrypt the stolen vault data. The latest findings from TRM Labs show that the cybercriminals have done just that.

"Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time," the company said.

"As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025."

The Russian links to the stolen cryptocurrency from the 2022 LastPass breach stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process.

More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

The stolen funds have been found to be routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity. It's worth mentioning here that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware attacks.

TRM Labs said it was able to demix the activity despite the use of CoinJoin techniques to make it harder to trace the flow of funds to external observers, uncovering clustered withdrawals and peeling chains that funneled mixed Bitcoin into the two exchanges.

"This is a clear example of how a single breach can evolve into a multi-year theft campaign," said Ari Redbord, global head of policy at TRM Labs. "Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who's really behind the activity."

"Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks.
"Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more

Malware / Endpoint Security

Cybersecurity researchers have discovered a new variant of a macOS information stealer called **MacSync** that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks.

"Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix\-style techniques, this sample adopts a more deceptive, hands-off approach," Jamf researcher Thijs Xhaflaire said.

The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named "zk-call-messenger-installer-3.9.2-lts.dmg" that's hosted on "zkcall\[.\]net/download."

The fact that it's signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards. Apple has since revoked the code signing certificate.

The Swift-based dropper then performs a series of checks before downloading and executing an encoded script through a helper component. This includes verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, and removing quarantine attributes and validating the file prior to execution.

"Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants," Xhaflaire explained. "Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like --noproxy have been introduced."

"These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection."

Another evasion mechanism used in the campaign is the use of an unusually large DMG file, inflating its size to 25.5 MB by embedding unrelated PDF documents.

The Base64-encoded payload, once parsed, corresponds to MacSync, a rebranded version of Mac.c that first emerged in April 2025. MacSync, per MacPaw's Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities.

It's worth noting that code-signed versions of malicious DMG files mimicking Google Meet have also been observed in attacks propagating other macOS stealers like Odyssey. That said, threat actors have continued to rely on unsigned disk images to deliver DigitStealer as recently as last month.

"This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications," Jamf said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Tag

#git