Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,278
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 21 - 31 of 31 CVEs
CVE-2026-25782 MEDIUM - 5.3

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-25718 CRITICAL - 9.1

Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-25712 HIGH - 7.5

Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-25038 HIGH - 7.5

Gitea 1.26.2 allows unauthorized users to access labels of private organizations.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-24690 HIGH - 7.5

Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-24451 HIGH - 7.5

Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-22874 CRITICAL - 9.6

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-22547 CRITICAL - 9.1

Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-20909 MEDIUM - 5.3

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-20896 CRITICAL - 9.8

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD
CVE-2026-20779 HIGH - 7.1

Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.

Vendor: Gitea
Product: Gitea Open Source Git Server
Published: Jul 03, 2026
Source: NVD