CVE-2025-68941

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

medium 4.9 CVSS 3.1
Published: Dec 26, 2025
Modified: Jan 2, 2026
Vendor: Gitea
Product: Gitea

Description

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

References

Related CVEs

CVE-2025-68946 medium · 5.4
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
CVE-2025-68943 medium · 5.3
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
CVE-2025-68944 medium · 5.0
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
CVE-2025-68945 medium · 5.8
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
CVE-2025-68942 medium · 5.4
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
CVE-2025-68939 high · 8.2
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.