gitea -- multiple vulnerabilities
| Affected packages |
|
|
gitea |
< |
1.26.4 |
|
Details
| VuXML ID |
f00e2de8-7d30-48d2-a43d-68206347dea6 |
| Discovery |
2026-05-20 |
| Entry |
2026-06-28 |
The Gitea team reports:
- CVE-2026-27783: incorrect read permission check
- CVE-2026-25714: public-only token filtering bypass
- CVE-2026-20706: missing token scope checking
- CVE-2026-27771: unauthenticated access to private container images
- CVE-2026-28744: git smart HTTP request scope bug
- CVE-2026-28699: basic auth bug
- CVE-2026-26231: maintainer edit permission escalation
- CVE-2026-20896: reverse proxy trusted proxies misconfiguration allowing user impersonation
- CVE-2026-22874: incomplete SSRF protection in webhooks and migrations
- CVE-2026-27775: branch write permission cache escalation
- CVE-2026-27761: RSS/Atom feed token scope not enforced
- CVE-2026-25038: private organization labels leaked to non-members
- CVE-2026-24451: fork sync allowed after base repo access revoked
- CVE-2026-20779: TOTP passcode reuse across login surfaces (TOCTOU race)
- CVE-2026-28740: cross-repository LFS object reuse without Code-unit access
- OAuth2 callback could auto-reactivate disabled users
References
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright
information.