Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 591b74b1c769 · 2026-01-23T20:15:56.000Z
GHSA-393c-qgvj-3xph GHSA-4xx9-vc8v-87hv GHSA-9cgq-wp42-4rpq GHSA-qqgv-v353-cv8p GHSA-rw22-5hhq-pfpf
diff --git a/advisories/github-reviewed/2026/01/GHSA-393c-qgvj-3xph/GHSA-393c-qgvj-3xph.json b/advisories/github-reviewed/2026/01/GHSA-393c-qgvj-3xph/GHSA-393c-qgvj-3xph.json
@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-393c-qgvj-3xph",
-  "modified": "2026-01-23T00:31:17Z",
+  "modified": "2026-01-23T20:14:46Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-20897"
   ],
+  "summary": "Gitea does not properly validate repository ownership when deleting Git LFS locks",
   "details": "Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7c"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20897"
@@ -26,10 +48,18 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36349"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -39,9 +69,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:14:46Z",
     "nvd_published_at": "2026-01-22T22:16:18Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-4xx9-vc8v-87hv/GHSA-4xx9-vc8v-87hv.json b/advisories/github-reviewed/2026/01/GHSA-4xx9-vc8v-87hv/GHSA-4xx9-vc8v-87hv.json
@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4xx9-vc8v-87hv",
-  "modified": "2026-01-23T00:31:17Z",
+  "modified": "2026-01-23T20:14:52Z",
   "published": "2026-01-23T00:31:17Z",
   "aliases": [
     "CVE-2026-20912"
   ],
+  "summary": "Gitea does not properly validate repository ownership when linking attachments to releases",
   "details": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20912"
@@ -26,10 +48,18 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36355"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -39,9 +69,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:14:52Z",
     "nvd_published_at": "2026-01-22T22:16:19Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-9cgq-wp42-4rpq/GHSA-9cgq-wp42-4rpq.json b/advisories/github-reviewed/2026/01/GHSA-9cgq-wp42-4rpq/GHSA-9cgq-wp42-4rpq.json
@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cgq-wp42-4rpq",
-  "modified": "2026-01-23T00:31:16Z",
+  "modified": "2026-01-23T20:14:41Z",
   "published": "2026-01-23T00:31:16Z",
   "aliases": [
     "CVE-2026-20888"
   ],
+  "summary": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface",
   "details": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-ccq9-c5hv-cf64"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20888"
@@ -30,6 +52,10 @@
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -39,9 +65,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:14:41Z",
     "nvd_published_at": "2026-01-22T22:16:17Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-qqgv-v353-cv8p/GHSA-qqgv-v353-cv8p.json b/advisories/github-reviewed/2026/01/GHSA-qqgv-v353-cv8p/GHSA-qqgv-v353-cv8p.json
@@ -1,19 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qqgv-v353-cv8p",
-  "modified": "2026-01-23T00:31:17Z",
+  "modified": "2026-01-23T20:15:01Z",
   "published": "2026-01-23T00:31:17Z",
   "aliases": [
     "CVE-2026-20904"
   ],
+  "summary": "Gitea does not properly validate ownership when toggling OpenID URI visibility",
   "details": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.",
-  "severity": [],
-  "affected": [],
-  "references": [
+  "severity": [
     {
-      "type": "WEB",
-      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx"
-    },
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/go-gitea/gitea"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.25.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20904"
@@ -26,10 +48,18 @@
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/pull/36361"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22"
+    },
     {
       "type": "WEB",
       "url": "https://blog.gitea.com/release-of-1.25.4"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-gitea/gitea"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
@@ -39,9 +69,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T20:15:01Z",
     "nvd_published_at": "2026-01-22T22:16:19Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-rw22-5hhq-pfpf/GHSA-rw22-5hhq-pfpf.json b/advisories/github-reviewed/2026/01/GHSA-rw22-5hhq-pfpf/GHSA-rw22-5hhq-pfpf.json
