Back to overview

CVE-2026-28705

Description
Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Metadata

CVE ID
CVE-2026-28705
State
PUBLISHED
Assigner
Gitea
Reserved
2026-03-03 03:25 UTC
Published
2026-07-03 20:19 UTC
Last updated
2026-07-03 20:19 UTC
Primary CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory
Vendor / Product
Gitea / Gitea Open Source Git Server
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Gitea Gitea Open Source Git Server 0 < 1.25.5
Weakness (CWE)
CWESourceDescription
CWE-22 cna Improper Limitation of a Pathname to a Restricted Directory
References (4)
Back to overview