SB2026062238 - Multiple vulnerabilities in Gitea
Published: June 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-28737)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser within the Gitea origin.
The vulnerability exists due to cross-site scripting in the built-in 3D file viewer error display when parsing crafted .gltf files with unsupported extensionsRequired values. A remote user can push a specially crafted .gltf file to a repository and trigger script execution when the file is viewed to execute arbitrary JavaScript in the victim's browser within the Gitea origin.
User interaction is required to view the crafted file page in the Gitea web UI.
2) Improper Authorization (CVE-ID: CVE-2026-22555)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and push arbitrary code under the organization's namespace.
The vulnerability exists due to improper access control in the `POST /api/v1/repos/{owner}/{repo}/forks` API endpoint when forking a repository into an organization. A remote user can send a crafted API request to create a fork in the organization namespace, obtain admin permissions on that fork, and exfiltrate organization-level CI/CD secrets.
Exploitation requires membership in the target organization and access to an existing organization repository. Instances with Actions enabled and runner infrastructure available are affected by the secret exfiltration path.
3) Open redirect (CVE-ID: CVE-2026-25779)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redirect users to an arbitrary website.
The vulnerability exists due to open redirect in the redirect_to parameter when processing login requests. A remote attacker can supply a crafted redirect_to value using directory traversal sequences and a backslash to redirect users to an arbitrary website.
Successful exploitation occurs after the victim logs in using a crafted link.
Remediation
Install update from vendor's website.
References
- https://github.com/go-gitea/gitea/security/advisories/GHSA-9cpj-qc93-vw8v
- https://github.com/go-gitea/gitea/security/advisories/GHSA-fhx7-m96w-mv29
- https://github.com/go-gitea/gitea/blob/79f96b3e24/routers/api/v1/repo/fork.go#L135-L144
- https://github.com/go-gitea/gitea/security/advisories/GHSA-j5r2-4c8j-xc3m