Lifecycle Timeline
1DescriptionCVE.org
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Analysis
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-exec
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers r
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) ar
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a
Gitea fails to validate repository ownership when linking attachments to releases, allowing users to attach files from o
Gitea fails to validate repository ownership when deleting Git LFS locks, allowing users with write access to one repo t
Gitea does not properly validate project ownership in organization operations, allowing users with project write access
Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a cra
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to
Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth gran
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41615
GHSA-fhq3-p242-2qpf