CVE Daily – Forgejo (High+Critical) https://cvedaily.com/pages/tags/forgejo.html CVE Daily – Forgejo (High+Critical) en Wed, 03 Jun 2026 21:26:58 +0000 [Critical] CVE-2025-68937 – Forgejo before 13.0.2 allows attackers to write to unintended files, and possibl... https://nvd.nist.gov/vuln/detail/CVE-2025-68937 https://nvd.nist.gov/vuln/detail/CVE-2025-68937 Fri, 26 Dec 2025 00:16:01 +0000 Critical CVE-2025-68937

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

CVSS: 9.5 · CWE: CWE-61

View on NVD

]]> [High] CVE-2023-49947 – Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentic... https://nvd.nist.gov/vuln/detail/CVE-2023-49947 https://nvd.nist.gov/vuln/detail/CVE-2023-49947 Sun, 03 Dec 2023 19:15:08 +0000 High CVE-2023-49947

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.

CVSS: 7.5 · CWE: CWE-863

View on NVD

]]> [Critical] CVE-2023-49946 – In Forgejo before 1.20.5-1, certain endpoints do not check whether an object bel... https://nvd.nist.gov/vuln/detail/CVE-2023-49946 https://nvd.nist.gov/vuln/detail/CVE-2023-49946 Sun, 03 Dec 2023 19:15:08 +0000 Critical CVE-2023-49946

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.

CVSS: 9.1 · CWE: CWE-732

View on NVD

]]>