Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-26231

Publication date:
03/07/2026
Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-26232

Publication date:
03/07/2026
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-26247

Publication date:
03/07/2026
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-26292

Publication date:
03/07/2026
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-26307

Publication date:
03/07/2026
Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-27657

Publication date:
03/07/2026
Gitea versions before 1.25.5 allow a user to change another user's primary email address.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-27660

Publication date:
03/07/2026
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-27761

Publication date:
03/07/2026
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-22555

Publication date:
03/07/2026
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-22874

Publication date:
03/07/2026
Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-24451

Publication date:
03/07/2026
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026

CVE-2026-24690

Publication date:
03/07/2026
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2026