Forgejo - 5 CVEs (Page 1/1)

About “Forgejo”

A curated feed of “Forgejo”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 2 were published. Average CVSS is 7.6 (all time; 8.0 over 365d), and 60% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-400 - Uncontrolled Resource Consumption, CWE-61 - UNIX Symbolic Link (Symlink) Following.

In our taxonomy this topic maps to a LOW impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: forgejo

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL	LTS
15.0	2026-04-16	15.0.2	2027-07-15	LTS
14.0	2026-01-15	14.0.5	2026-04-30 Expired
13.0	2025-10-16	13.0.5	2026-01-29 Expired
12.0	2025-07-17	12.0.4	2025-10-16 Expired
11.0	2025-04-16	11.0.14	2026-07-16 Soon	LTS
10.0	2025-01-16	10.0.3	2025-04-16 Expired
9.0	2024-10-16	9.0.3	2025-01-16 Expired
8.0	2024-07-30	8.0.3	2024-10-16 Expired
7.0	2024-04-23	7.0.16	2025-07-17 Expired	LTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Forgejo” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-03-16

Medium

CVE-2025-68971

In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2025-12-26

Critical

CVE-2025-68937

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositorie…

CVSS: 9.5 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD

2023-12-03

Medium

CVE-2023-49948

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

CVSS: 5.3 CWE: N/A View on NVD

High

CVE-2023-49947

Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD

Critical

CVE-2023-49946

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read…

CVSS: 9.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD