CVE-2026-28705

medium

Description

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

References

https://github.com/go-gitea/gitea/releases/tag/v1.25.5

https://github.com/go-gitea/gitea/pull/36839

https://github.com/go-gitea/gitea/pull/36799

https://blog.gitea.com/release-of-1.25.5/

Details

Source: Mitre, NVD

Published: 2026-07-03

Updated: 2026-07-03

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium