Publish Advisories

GHSA-pv4c-p2j5-38j4
GHSA-2vgv-hgv4-22mh
GHSA-8fwc-qjw5-rvgp
GHSA-hgr3-x44x-33hx
GHSA-j8xr-c56q-m8jj

Author: advisory-database[bot]

advisories/github-reviewed/2018/08/GHSA-pv4c-p2j5-38j4/GHSA-pv4c-p2j5-38j4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pv4c-p2j5-38j4",
-  "modified": "2026-01-23T17:42:20Z",
+  "modified": "2026-01-23T20:10:56Z",
   "published": "2018-08-13T15:02:15Z",
   "aliases": [
     "CVE-2018-3774"
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0.1.0"
+              "introduced": "1.0.0"
             },
             {
               "fixed": "1.4.3"
@@ -40,6 +40,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unshiftio/url-parse/commit/209c296d302317268afbe19700a70c63ecbeb2d2"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
@@ -58,7 +62,7 @@
     },
     {
       "type": "WEB",
-      "url": "https://github.com/unshiftio/url-parse/compare/0.0.4...0.1.0"
+      "url": "https://github.com/unshiftio/url-parse/compare/0.2.3...1.0.0"
     }
   ],
   "database_specific": {

…-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.json …-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.jsonadvisories/unreviewed/2026/01/GHSA-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.json renamed to advisories/github-reviewed/2026/01/GHSA-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.json advisories/unreviewed/2026/01/GHSA-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.json renamed to advisories/github-reviewed/2026/01/GHSA-2vgv-hgv4-22mh/GHSA-2vgv-hgv4-22mh.json

@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2vgv-hgv4-22mh",
-  "modified": "2026-01-23T00:31:16Z",
+  "modified": "2026-01-23T20:11:50Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-20800"
   ],
+  "summary": "Gitea improperly exposes issue and pull request titles",
   "details": "Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-g54m-9f6g-wj7q"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20800"
@@ -22,10 +44,18 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36339"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/67e75f30a83d2523cedc37ad7b03bcba66947833"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -35,9 +65,9 @@
     "cwe_ids": [
       "CWE-200"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:11:50Z",
     "nvd_published_at": "2026-01-22T22:16:17Z"
   }
 }

…-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json …-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.jsonadvisories/unreviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json renamed to advisories/github-reviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json advisories/unreviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json renamed to advisories/github-reviewed/2026/01/GHSA-8fwc-qjw5-rvgp/GHSA-8fwc-qjw5-rvgp.json

@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8fwc-qjw5-rvgp",
-  "modified": "2026-01-23T00:31:16Z",
+  "modified": "2026-01-23T20:11:25Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-0798"
   ],
+  "summary": "Gitea may send release notification emails for private repositories to users whose access has been revoked",
   "details": "Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-f4wq-6ww5-m56p"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "code.gitea.io/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0798"
@@ -26,6 +48,10 @@
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -35,9 +61,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:11:25Z",
     "nvd_published_at": "2026-01-22T22:16:15Z"
   }
 }

…-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.json …-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.jsonadvisories/unreviewed/2026/01/GHSA-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.json renamed to advisories/github-reviewed/2026/01/GHSA-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.json advisories/unreviewed/2026/01/GHSA-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.json renamed to advisories/github-reviewed/2026/01/GHSA-hgr3-x44x-33hx/GHSA-hgr3-x44x-33hx.json

@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hgr3-x44x-33hx",
-  "modified": "2026-01-23T00:31:16Z",
+  "modified": "2026-01-23T20:11:37Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-20736"
   ],
+  "summary": "Gitea has improper access control for uploaded attachments",
   "details": "Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jr6h-pwwp-c8g6"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "code.gitea.io/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20736"
@@ -22,10 +44,18 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36320"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -35,9 +65,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:11:37Z",
     "nvd_published_at": "2026-01-22T22:16:17Z"
   }
 }

…-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.json …-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.jsonadvisories/unreviewed/2026/01/GHSA-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.json renamed to advisories/github-reviewed/2026/01/GHSA-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.json advisories/unreviewed/2026/01/GHSA-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.json renamed to advisories/github-reviewed/2026/01/GHSA-j8xr-c56q-m8jj/GHSA-j8xr-c56q-m8jj.json

@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j8xr-c56q-m8jj",
-  "modified": "2026-01-23T00:31:16Z",
+  "modified": "2026-01-23T20:11:59Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-20883"
   ],
+  "summary": "Gitea improperly exposes issue titles and repository names through previously started stopwatches",
   "details": "Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20883"
@@ -26,22 +48,30 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36368"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/95ea2df00a70176c516b12f3cfee8c84a310280f"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://pkg.go.dev/github.com/go-gitea/gitea"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:11:59Z",
     "nvd_published_at": "2026-01-22T22:16:17Z"
   }
 }