Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
Gitea 1.26.2 allows unauthorized users to access labels of private organizations.
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.