Affected by GO-2022-0353
and 21 other vulnerabilities
GO-2022-0353: Path Traversal in Gitea in code.gitea.io/gitea
GO-2022-0442: Arbitrary file deletion in gitea in code.gitea.io/gitea
GO-2022-0450: Shell command injection in gitea in code.gitea.io/gitea
GO-2022-0609: Gitea Missing Authorization vulnerability in code.gitea.io/gitea
GO-2022-0612: Stored Cross-site Scripting in gitea in code.gitea.io/gitea
GO-2022-1065: Gitea vulnerable to Argument Injection in code.gitea.io/gitea
GO-2023-1894: code.gitea.io/gitea Open Redirect vulnerability
GO-2023-1971: Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea
GO-2023-1999: Gitea erroneous repo clones in code.gitea.io/gitea
GO-2024-2752: Gitea Open Redirect in code.gitea.io/gitea
GO-2024-2769: Gitea allowed assignment of private issues in code.gitea.io/gitea
GO-2024-3056: Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea
GO-2025-4258: Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
GO-2025-4261: Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
GO-2025-4262: Gitea: anonymous user can visit private user's project in code.gitea.io/gitea
GO-2025-4263: Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
GO-2025-4264: Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
GO-2025-4265: Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
GO-2025-4266: Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
GO-2025-4267: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
GO-2025-4268: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
GO-2026-4274: Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
Schemes: http, https
BasePath: /api/v1
Version: 1.1.1
License: MIT http://opensource.org/licenses/MIT
Consumes:
- application/json
- text/plain
Produces:
- application/json
- text/html
Security:
- BasicAuth :
- Token :
- AccessToken :
- AuthorizationHeaderToken :
- SudoParam :
- SudoHeader :
- TOTPHeader :
SecurityDefinitions:
BasicAuth:
type: basic
Token:
type: apiKey
name: token
in: query
AccessToken:
type: apiKey
name: access_token
in: query
AuthorizationHeaderToken:
type: apiKey
name: Authorization
in: header
description: API tokens must be prepended with "token" followed by a space.
SudoParam:
type: apiKey
name: sudo
in: query
description: Sudo API request as the user provided as the key. Admin privileges are required.
SudoHeader:
type: apiKey
name: Sudo
in: header
description: Sudo API request as the user provided as the key. Admin privileges are required.
TOTPHeader:
type: apiKey
name: X-GITEA-OTP
in: header
description: Must be used in combination with BasicAuth if two-factor authentication is enabled.
Affected by 
Documentation
¶
Source Files
Directories