{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68942", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T02:50:34.878Z", "datePublished": "2025-12-26T02:50:35.144Z", "dateUpdated": "2025-12-26T19:30:04.360Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.22.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.2"}]}]}], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:40.767Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.22.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}, {"url": "https://github.com/go-gitea/gitea/pull/31966"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T19:29:56.320510Z", "id": "CVE-2025-68942", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:30:04.360Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68942", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T19:29:56.320510Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:29:59.389Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.2", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.22.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}, {"url": "https://github.com/go-gitea/gitea/pull/31966"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.22.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:40.767Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68942", "state": "PUBLISHED", "dateUpdated": "2025-12-26T19:30:04.360Z", "dateReserved": "2025-12-26T02:50:34.878Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T02:50:35.144Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text."}], "id": "CVE-2025-68942", "lastModified": "2025-12-26T03:15:51.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-12-26T03:15:51.117", "references": [{"source": "[email protected]", "url": "https://blog.gitea.com/release-of-1.22.2/"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/pull/31966"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "gitea: Gitea: Cross-Site Scripting (XSS) vulnerability via search input", "id": "2425464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425464"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Gitea. A remote attacker could exploit a Cross-Site Scripting (XSS) vulnerability by injecting malicious scripts into the search input box. This occurs because the application improperly uses `v-html` instead of `v-text` for rendering user input. Successful exploitation allows for the execution of arbitrary code in the context of the user's browser, potentially leading to information disclosure or unauthorized actions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68942", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T02:50:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68942\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68942\nhttps://blog.gitea.com/release-of-1.22.2/\nhttps://github.com/go-gitea/gitea/pull/31966\nhttps://github.com/go-gitea/gitea/releases/tag/v1.22.2"], "statement": "This vulnerability is rated Moderate for Red Hat OpenShift Pipelines versions 1.16 and 1.17 due to a Cross-Site Scripting (XSS) flaw in the integrated Gitea component. The flaw allows a remote attacker to inject malicious scripts via the search input, potentially leading to information disclosure or unauthorized actions in the context of the user's browser. OpenShift Pipelines versions 1.18, 1.19, and 1.20 are not affected as the vulnerable code is not present.", "threat_severity": "Moderate"}