Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-12-26
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-12-26
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-26
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
CVSS Score
8.2
EPSS Score
0.0
Published
2025-12-26
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
CVSS Score
3.1
EPSS Score
0.0
Published
2025-12-26
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-12-26
Gitea before 1.25.2 mishandles authorization for deletion of releases.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-12-26
Page 2