6.5
CVE-2026-20904 - Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
6.5
CVE-2026-20800 - Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
6.5
CVE-2026-20883 - Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
7.5
CVE-2026-20736 - Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Chβ¦
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
3.5
CVE-2026-0798 - Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, anβ¦
9.1
CVE-2026-20750 - Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
8.1
CVE-2026-24058 - Soft Serve has Critical Authentication Bypass
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with thβ¦
7.3
CVE-2026-23988 - Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the scβ¦
9.4
CVE-2026-1201 - Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
5.7
CVE-2025-9289 - Cross-Site Scripting (XSS) on Omada Controllers
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successfβ¦