Description
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
Published: 2025-12-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hq57-c72x-4774 Gitea vulnerable to Cross-site Scripting
History

Sat, 27 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Dec 2025 04:30:00 +0000

Type Values Removed Values Added
Description In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
First Time appeared Gitea
Gitea gitea
Weaknesses CWE-79
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
Vendors & Products Gitea
Gitea gitea
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gitea Gitea
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-12-26T18:59:45.647Z

Reserved: 2025-12-26T04:14:03.512Z

Link: CVE-2025-68946

cve-icon Vulnrichment

Updated: 2025-12-26T14:42:19.409Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-26T05:16:11.590

Modified: 2025-12-31T22:17:49.283

Link: CVE-2025-68946

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-26T04:14:03Z

Links: CVE-2025-68946 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses