Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for Forgejo by Forgejo
CVE-2026-59102 (GCVE-0-2026-59102)
Vulnerability from nvd – Published: 2026-07-02 19:44 – Updated: 2026-07-02 19:44 X_Open Source
VLAI
Title
Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering
Summary
Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://codeberg.org/forgejo/forgejo/src/branch/f… | release-notespatch |
| https://github.com/geo-chen/oss/blob/main/forgejo.md | technical-descriptionexploit |
| https://codeberg.org/forgejo/forgejo/pulls/13002 | issue-tracking |
| https://www.vulncheck.com/advisories/forgejo-stor… | third-party-advisory |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "forgejo",
"repo": "https://codeberg.org/forgejo/forgejo",
"vendor": "forgejo",
"versions": [
{
"lessThan": "15.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users\u0027 browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user\u0027s display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T19:44:07.617Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Release Notes",
"tags": [
"release-notes",
"patch"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md"
},
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://github.com/geo-chen/oss/blob/main/forgejo.md"
},
{
"name": "Fix PR",
"tags": [
"issue-tracking"
],
"url": "https://codeberg.org/forgejo/forgejo/pulls/13002"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/forgejo-stored-xss-via-actions-run-full-name-rendering"
}
],
"tags": [
"x_open-source"
],
"title": "Forgejo \u003c 15.0.3 - Stored XSS via Actions Run Full Name Rendering",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-59102",
"datePublished": "2026-07-02T19:44:07.617Z",
"dateReserved": "2026-07-02T15:38:18.929Z",
"dateUpdated": "2026-07-02T19:44:07.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68937 (GCVE-0-2025-68937)
Vulnerability from nvd – Published: 2025-12-25 23:57 – Updated: 2025-12-26 14:51
VLAI
Summary
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
6 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:40:08.642834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:51:12.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Forgejo",
"vendor": "Forgejo",
"versions": [
{
"lessThan": "13.0.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "13.0.2",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T01:00:13.916Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/milestone/29156"
},
{
"url": "https://codeberg.org/forgejo/forgejo/milestone/27340"
},
{
"url": "https://codeberg.org/forgejo/security-announcements/issues/43"
},
{
"url": "https://blog.gitea.com/release-of-1.24.7/"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68937",
"datePublished": "2025-12-25T23:57:30.456Z",
"dateReserved": "2025-12-25T23:57:30.203Z",
"dateUpdated": "2025-12-26T14:51:12.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49948 (GCVE-0-2023-49948)
Vulnerability from nvd – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:55:21.655Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49948",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49947 (GCVE-0-2023-49947)
Vulnerability from nvd – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/commit/44df78edd40076b349d50dc5fb02af417a44cfab"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:55:33.844Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/commit/44df78edd40076b349d50dc5fb02af417a44cfab"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49947",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49946 (GCVE-0-2023-49946)
Vulnerability from nvd – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://about.gitea.com/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gogs/gogs/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:56:04.385Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"url": "https://about.gitea.com/security"
},
{
"url": "https://github.com/gogs/gogs/security"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49946",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-59102 (GCVE-0-2026-59102)
Vulnerability from cvelistv5 – Published: 2026-07-02 19:44 – Updated: 2026-07-02 19:44 X_Open Source
VLAI
Title
Forgejo < 15.0.3 - Stored XSS via Actions Run Full Name Rendering
Summary
Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://codeberg.org/forgejo/forgejo/src/branch/f… | release-notespatch |
| https://github.com/geo-chen/oss/blob/main/forgejo.md | technical-descriptionexploit |
| https://codeberg.org/forgejo/forgejo/pulls/13002 | issue-tracking |
| https://www.vulncheck.com/advisories/forgejo-stor… | third-party-advisory |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "forgejo",
"repo": "https://codeberg.org/forgejo/forgejo",
"vendor": "forgejo",
"versions": [
{
"lessThan": "15.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users\u0027 browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user\u0027s display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T19:44:07.617Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Release Notes",
"tags": [
"release-notes",
"patch"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md"
},
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://github.com/geo-chen/oss/blob/main/forgejo.md"
},
{
"name": "Fix PR",
"tags": [
"issue-tracking"
],
"url": "https://codeberg.org/forgejo/forgejo/pulls/13002"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/forgejo-stored-xss-via-actions-run-full-name-rendering"
}
],
"tags": [
"x_open-source"
],
"title": "Forgejo \u003c 15.0.3 - Stored XSS via Actions Run Full Name Rendering",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-59102",
"datePublished": "2026-07-02T19:44:07.617Z",
"dateReserved": "2026-07-02T15:38:18.929Z",
"dateUpdated": "2026-07-02T19:44:07.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68937 (GCVE-0-2025-68937)
Vulnerability from cvelistv5 – Published: 2025-12-25 23:57 – Updated: 2025-12-26 14:51
VLAI
Summary
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
6 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:40:08.642834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:51:12.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Forgejo",
"vendor": "Forgejo",
"versions": [
{
"lessThan": "13.0.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "13.0.2",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T01:00:13.916Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/milestone/29156"
},
{
"url": "https://codeberg.org/forgejo/forgejo/milestone/27340"
},
{
"url": "https://codeberg.org/forgejo/security-announcements/issues/43"
},
{
"url": "https://blog.gitea.com/release-of-1.24.7/"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68937",
"datePublished": "2025-12-25T23:57:30.456Z",
"dateReserved": "2025-12-25T23:57:30.203Z",
"dateUpdated": "2025-12-26T14:51:12.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49948 (GCVE-0-2023-49948)
Vulnerability from cvelistv5 – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:55:21.655Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"url": "https://codeberg.org/forgejo/forgejo/commit/d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49948",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49947 (GCVE-0-2023-49947)
Vulnerability from cvelistv5 – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/commit/44df78edd40076b349d50dc5fb02af417a44cfab"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:55:33.844Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/commit/44df78edd40076b349d50dc5fb02af417a44cfab"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49947",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49946 (GCVE-0-2023-49946)
Vulnerability from cvelistv5 – Published: 2023-12-03 00:00 – Updated: 2024-08-02 22:09
VLAI
Summary
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://about.gitea.com/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gogs/gogs/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-03T18:56:04.385Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://forgejo.org/2023-11-release-v1-20-5-1/"
},
{
"url": "https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md"
},
{
"url": "https://about.gitea.com/security"
},
{
"url": "https://github.com/gogs/gogs/security"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49946",
"datePublished": "2023-12-03T00:00:00.000Z",
"dateReserved": "2023-12-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T22:09:49.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}