pkg:Go/code.gitea.io/gitea

71 total CVEsCRITICAL14HIGH15MEDIUM36LOW6

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2024-6886Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea
    from 0, < 1.22.1
  • CRITICAL9.8CVE-2024-6886Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea
    from 0, < 1.22.1
  • CRITICAL9.8CVE-2022-42968Gitea vulnerable to Argument Injection in code.gitea.io/gitea
    from 0, < 1.17.3
  • CRITICAL9.8CVE-2019-11576Gitea Allows 1FA Even for 2FA-Enrolled Accounts
    from 0, < 1.8.0
  • CRITICAL9.8CVE-2018-18926Gitea Remote Code Execution (RCE) in code.gitea.io/gitea
    from 0, < 1.5.2
  • CRITICAL9.8CVE-2018-18926Gitea Remote Code Execution (RCE) in code.gitea.io/gitea
    from 0, < 1.5.2
  • CRITICAL9.8CVE-2021-45331Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
    from 0, < 1.5.0
  • CRITICAL9.8CVE-2021-45331Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
    from 0, < 1.5.0
  • CRITICAL9.8CVE-2021-45330Improper Privilege Management in Gitea in code.gitea.io/gitea
    from 0, < 1.6.0
  • CRITICAL9.8CVE-2021-45330Improper Privilege Management in Gitea in code.gitea.io/gitea
    from 0, < 1.6.0
  • CRITICAL9.8CVE-2021-45327Capture-replay in Gitea in code.gitea.io/gitea
    from 0, < 1.11.2
  • CRITICAL9.1CVE-2026-20912Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
    from 0, < 1.25.4
  • CRITICAL9.1CVE-2026-20897Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
    from 0, < 1.25.4
  • CRITICAL9.1CVE-2026-20750Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
    from 0, < 1.25.4
  • HIGH8.6CVE-2018-15192Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea
    from 0, < 1.16.0-rc1
  • HIGH8.6CVE-2018-15192Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea
    from 0, < 1.16.0-rc1
  • HIGH8.2CVE-2025-68939Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
    from 0
  • HIGH8.2CVE-2025-68939Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
    from 0
  • HIGH7.5CVE-2026-20736Gitea has improper access control for uploaded attachments in code.gitea.io/gitea
    from 0, < 1.25.4
  • HIGH7.5CVE-2026-20736Gitea has improper access control for uploaded attachments in code.gitea.io/gitea
    from 0, < 1.25.4
  • HIGH7.5CVE-2022-30781Shell command injection in gitea in code.gitea.io/gitea
    from 0, < 1.16.7
  • HIGH7.5CVE-2022-30781Shell command injection in gitea in code.gitea.io/gitea
    from 0, < 1.16.7
  • HIGH7.5CVE-2022-27313Arbitrary file deletion in gitea in code.gitea.io/gitea
    from 0, < 1.16.4
  • HIGH7.5CVE-2022-27313Arbitrary file deletion in gitea in code.gitea.io/gitea
    from 0, < 1.16.4
  • HIGH7.5CVE-2020-13246Denial of Service in Gitea in code.gitea.io/gitea
    from 0, < 1.12.0
  • HIGH7.2CVE-2020-14144Arbitrary Code Execution in Gitea
    >= 1.1.0, < 1.12.6
  • HIGH7.1CVE-2022-0905Gitea Missing Authorization vulnerability in code.gitea.io/gitea
    from 0, < 1.16.4
  • HIGH7.1CVE-2022-0905Gitea Missing Authorization vulnerability in code.gitea.io/gitea
    from 0, < 1.16.4
  • HIGH7.0CVE-2021-3382Buffer Overflow in gitea in code.gitea.io/gitea
    >= 1.9.0, < 1.13.2
  • MEDIUM6.5CVE-2026-20904Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
    from 0, < 1.25.4
  • MEDIUM6.5CVE-2026-20883Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
    from 0, < 1.25.4
  • MEDIUM6.5CVE-2026-20800Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
    from 0, < 1.25.4
  • MEDIUM6.5CVE-2022-38795Gitea erroneous repo clones in code.gitea.io/gitea
    from 0, < 1.17.2
  • MEDIUM6.5CVE-2022-38795Gitea erroneous repo clones in code.gitea.io/gitea
    from 0, < 1.17.2
  • MEDIUM6.5CVE-2022-38183Gitea allowed assignment of private issues in code.gitea.io/gitea
    from 0, < 1.16.9
  • MEDIUM6.5CVE-2022-38183Gitea allowed assignment of private issues in code.gitea.io/gitea
    from 0, < 1.16.9
  • MEDIUM6.5CVE-2019-1000002Gitea Arbitrary File Delete Vulnerability
    from 0, < 1.6.3
  • MEDIUM6.1CVE-2019-1010261Gitea XSS Vulnerability in code.gitea.io/gitea
    from 0, < 1.7.1
  • MEDIUM6.1CVE-2019-1010261Gitea XSS Vulnerability in code.gitea.io/gitea
    from 0, < 1.7.1
  • MEDIUM6.1CVE-2019-1010314Gitea XSS Vulnerability in Repository Description
    >= 1.7.2, < 1.7.4
  • MEDIUM6.1CVE-2022-1058Gitea Open Redirect in code.gitea.io/gitea
    from 0, < 1.16.5
  • MEDIUM6.1CVE-2022-1058Gitea Open Redirect in code.gitea.io/gitea
    from 0, < 1.16.5
  • MEDIUM5.8CVE-2025-68945Gitea: anonymous user can visit private user's project in code.gitea.io/gitea
    from 0, < 1.21.2
  • MEDIUM5.8CVE-2025-68945Gitea: anonymous user can visit private user's project in code.gitea.io/gitea
    from 0, < 1.21.2
  • MEDIUM5.4CVE-2025-68946Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
    from 0, < 1.20.1
  • MEDIUM5.4CVE-2025-68946Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
    from 0, < 1.20.1
  • MEDIUM5.4CVE-2025-68942Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
    from 0, < 1.22.2
  • MEDIUM5.4CVE-2025-68942Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
    from 0, < 1.22.2
  • MEDIUM5.4CVE-2021-28378Cross-site Scripting in Gitea in code.gitea.io/gitea
    from 0, < 1.13.4
  • MEDIUM5.4CVE-2021-28378Cross-site Scripting in Gitea in code.gitea.io/gitea
    from 0, < 1.13.4
  • MEDIUM5.3CVE-2025-69413Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
    from 0, < 1.25.2
  • MEDIUM5.3CVE-2025-69413Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
    from 0, < 1.25.2
  • MEDIUM5.3CVE-2025-68943Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
    from 0, < 1.21.8
  • MEDIUM5.3CVE-2025-68943Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
    from 0, < 1.21.8
  • MEDIUM5.3CVE-2021-29134Path Traversal in Gitea in code.gitea.io/gitea
    from 0, < 1.13.6
  • MEDIUM5.3CVE-2021-29134Path Traversal in Gitea in code.gitea.io/gitea
    from 0, < 1.13.6
  • MEDIUM5.0CVE-2025-68944Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
    from 0, < 1.22.2
  • MEDIUM5.0CVE-2025-68944Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
    from 0, < 1.22.2
  • MEDIUM4.9CVE-2025-68941Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
    from 0, < 1.22.3
  • MEDIUM4.9CVE-2025-68941Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
    from 0, < 1.22.3
  • MEDIUM4.4CVE-2022-1928Stored Cross-site Scripting in gitea in code.gitea.io/gitea
    from 0, < 1.16.9
  • MEDIUM4.4CVE-2022-1928Stored Cross-site Scripting in gitea in code.gitea.io/gitea
    from 0, < 1.16.9
  • MEDIUM4.3CVE-2026-20888Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
    from 0, < 1.25.4
  • MEDIUM4.3CVE-2025-68938Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
    from 0, < 1.25.2
  • MEDIUM4.3CVE-2025-68938Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
    from 0, < 1.25.2
  • LOW3.5CVE-2026-0798Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
    from 0, < 1.25.4
  • LOW3.5CVE-2026-0798Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
    from 0, < 1.25.4
  • LOW3.1CVE-2025-68940Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
    from 0, < 1.22.5
  • LOW3.1CVE-2025-68940Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
    from 0, < 1.22.5
  • LOW3.0CVE-2023-3515code.gitea.io/gitea Open Redirect vulnerability
    from 0, < 1.19.4
  • LOW3.0CVE-2023-3515code.gitea.io/gitea Open Redirect vulnerability
    from 0, < 1.19.4