Skip to main content

Forgejo

4 CVEs product

Monthly

CVE-2026-59102 LOW POC PATCH Monitor

Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.

XSS Forgejo
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2023-49948 MEDIUM PATCH This Month

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Forgejo
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-49947 HIGH PATCH This Week

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Docker Forgejo
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-49946 CRITICAL Act Now

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Forgejo
NVD GitHub
CVSS 3.1
9.1
EPSS
0.9%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Stored XSS in Forgejo before 15.0.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers by embedding an HTML payload in their display name and triggering a CI/CD Actions run. The vulnerability exists because the server-side run description assembles HTML by interpolating the user's full name through a translation function that performs no output encoding, and the frontend renders this server-generated markup via a Vue v-html binding - a classic sink for stored XSS. No public exploit identified at time of analysis as actively exploited in the wild, but a public proof-of-concept exists at the VulnCheck-referenced GitHub repository. The CVSS 4.0 score of 2.1 reflects the non-default configuration prerequisite and passive user interaction required, but the impact on subsequent systems (other users' browser sessions) is real.

XSS Forgejo
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Forgejo
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Docker Forgejo
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Forgejo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy