CVSS Score: 3.5 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-0798
A logic flaw in Gitea's notification system allowed unauthorized users—specifically 'watchers' who lost access or remained subscribed after a repository went private—to continue receiving detailed release emails containing private changelogs and tags.
CVSS Score: 6.5 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20883
A logic flaw in Gitea's stopwatch feature created a persistence vulnerability where users maintained visibility into private issue metadata after access revocation. By failing to re-validate permissions during API object serialization, the system allowed 'zombie' stopwatch records to leak sensitive titles and repository names.
CVSS Score: 9.1 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20750
A critical IDOR vulnerability in Gitea allows attackers with project write access in one organization to modify or delete projects in completely unrelated organizations. It's a classic case of checking permissions for the wrong object.
CVSS Score: 6.5 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20800
A classic logic flaw in Gitea's notification system allows users to view metadata of private repositories they no longer have access to. By failing to re-validate permissions at the time of API retrieval, Gitea effectively allowed 'zombie' access to sensitive issue and PR titles.
CVSS Score: 4.3 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20888
A logic flaw in Gitea's access control allows any user with read access to a repository to cancel scheduled auto-merges, effectively enabling low-privileged users to disrupt CI/CD workflows and release pipelines.
CVSS Score: 9.1 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20897
A critical Insecure Direct Object Reference (IDOR) in Gitea's Git LFS implementation allows authenticated users to delete file locks across any repository on the instance.
CVSS Score: 7.5 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20736
A logic flaw in Gitea's attachment handling allowed users to delete files from repositories they no longer had access to. If you uploaded it, you could kill it—even after being fired.
CVSS Score: 9.1 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20912
A critical logic flaw in Gitea's attachment handling allows authenticated users to link files from private repositories to public releases, effectively bypassing access controls and exposing sensitive data to the internet.
CVSS Score: 6.5 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2026-20904
A classic Insecure Direct Object Reference (IDOR) vulnerability in Gitea versions prior to 1.25.4 allowed authenticated users to toggle the visibility of OpenID credentials belonging to any other user. The flaw stemmed from a database update query that checked the record ID but failed to verify the record owner.
CVSS Score: 8.8 Published: 2026-01-23 Full Report: https://cvereports.com/reports/CVE-2025-67847
A critical Remote Code Execution vulnerability in Moodle's core backup/restore functionality allows authenticated users (like Teachers) to compromise the entire server by uploading malicious course archives.
