Path Traversal Vulnerability in Gitea Affects Asset Management
CVE-2026-28705

Currently unrated

Key Information:

Vendor

Gitea

Vendor
CVE Published:
3 July 2026

What is CVE-2026-28705?

Gitea versions prior to 1.25.5 are susceptible to a path traversal vulnerability due to the use of release tag names and asset names as filesystem path components. This flaw allows attackers to craft malicious names that can manipulate dump output paths during the export of release assets, potentially leading to unauthorized access or disclosure of sensitive information. Users are strongly encouraged to update to version 1.25.5 or later to mitigate this risk. For more details, check the release notes and patches associated with this issue.

Affected Version(s)

Gitea Open Source Git Server 0 < 1.25.5

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Robert Flosbach from Neodyme AG
.