In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Gitea
  • Gitea

No data.

No data.

References
Link Providers
https://blog.gitea.com/release-of-1.20.1/ cve-icon cve-icon cve-icon
https://github.com/go-gitea/gitea/pull/25960 cve-icon cve-icon cve-icon
https://github.com/go-gitea/gitea/releases/tag/v1.20.1 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-68946 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-68946 cve-icon
History

Sat, 27 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title gitea: Gitea: Cross-Site Scripting (XSS) via forbidden URL scheme in links
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Dec 2025 04:30:00 +0000

Type Values Removed Values Added
Description In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
First Time appeared Gitea
Gitea gitea
Weaknesses CWE-79
CPEs cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
Vendors & Products Gitea
Gitea gitea
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-26T04:14:03.775Z

Updated: 2025-12-26T18:59:45.647Z

Reserved: 2025-12-26T04:14:03.512Z

Link: CVE-2025-68946

cve-icon Vulnrichment

Updated: 2025-12-26T14:42:19.409Z

cve-icon NVD

Status : Received

Published: 2025-12-26T05:16:11.590

Modified: 2025-12-26T05:16:11.590

Link: CVE-2025-68946

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-26T04:14:03Z

Links: CVE-2025-68946 - Bugzilla