Affected by GO-2024-3056
and 8 other vulnerabilities
GO-2024-3056: Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea
GO-2025-4258: Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
GO-2025-4261: Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
GO-2025-4263: Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
GO-2025-4264: Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
GO-2025-4266: Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
GO-2025-4267: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
GO-2025-4268: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
GO-2026-4274: Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
Expr evaluates the given expression tokens and returns the result.
It supports the following operators: +, -, *, /, and, or, not, ==, !=, >, >=, <, <=.
Non-zero values are treated as true, zero values are treated as false.
If no error occurs, the result is either an int64 or a float64.
If all numbers are integer, the result is an int64, otherwise if there is any float number, the result is a float64.
Affected by 
Documentation
¶
Source Files