GHSA-263q-5cv3-xq9g

Suggest an improvement
Source
https://github.com/advisories/GHSA-263q-5cv3-xq9g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-263q-5cv3-xq9g/GHSA-263q-5cv3-xq9g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-263q-5cv3-xq9g
Aliases
Published
2025-12-26T03:30:15Z
Modified
2026-01-03T12:26:15.002359Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
Gitea allows attackers to add attachments with forbidden file extensions
Details

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

Database specific 
{
    "severity": "HIGH",
    "github_reviewed_at": "2025-12-26T19:12:02Z",
    "cwe_ids": [
        "CWE-424"
    ],
    "nvd_published_at": "2025-12-26T03:15:50Z",
    "github_reviewed": true
}
References

Affected packages

Go / code.gitea.io/gitea

Package

Name
code.gitea.io/gitea
View open source insights on deps.dev
Purl
pkg:golang/code.gitea.io/gitea

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-263q-5cv3-xq9g/GHSA-263q-5cv3-xq9g.json"

last_known_affected_version_range

"< 1.23.0"