GHSA-8fwc-qjw5-rvgp

Suggest an improvement
Source
https://github.com/advisories/GHSA-8fwc-qjw5-rvgp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8fwc-qjw5-rvgp
Aliases
Published
2026-01-23T00:31:16Z
Modified
2026-02-03T03:08:38.336921Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Gitea may send release notification emails for private repositories to users whose access has been revoked
Details

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

Database specific 
{
    "cwe_ids": [
        "CWE-284"
    ],
    "github_reviewed_at": "2026-01-23T20:11:25Z",
    "nvd_published_at": "2026-01-22T22:16:15Z",
    "severity": "LOW",
    "github_reviewed": true
}
References

Affected packages

Go / code.gitea.io/gitea

Package

Name
code.gitea.io/gitea
View open source insights on deps.dev
Purl
pkg:golang/code.gitea.io/gitea

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json"