x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-393c-qgvj-3xph

[GoVulnBot]

Advisory GHSA-393c-qgvj-3xph references a vulnerability in the following Go modules:

Module
code.gitea.io/gitea

Description:
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

References:

• ADVISORY: GHSA-393c-qgvj-3xph
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2026-20897
• FIX: go-gitea/gitea@da036f3
• FIX: LFS locks must belong to the intended repo go-gitea/gitea#36344
• FIX: LFS locks must belong to the intended repo (#36344) go-gitea/gitea#36349
• WEB: https://blog.gitea.com/release-of-1.25.4
• WEB: https://github.com/go-gitea/gitea/releases/tag/v1.25.4

Cross references:

• code.gitea.io/gitea appears in 30 other report(s):
  • data/reports/GO-2022-0310.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45327 #310)
  • data/reports/GO-2022-0315.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45331 #315)
  • data/reports/GO-2022-0353.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-29134 #353)
  • data/reports/GO-2022-0442.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-27313 #442)
  • data/reports/GO-2022-0450.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-30781 #450)
  • data/reports/GO-2022-0609.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-jr9c-h74f-2v28 #609)
  • data/reports/GO-2022-0612.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-ph3w-2843-72mx #612)
  • data/reports/GO-2022-0830.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-g2qx-6ghw-67hm #830)
  • data/reports/GO-2022-0832.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-g95p-88p4-76cm #832)
  • data/reports/GO-2022-0844.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-hf6f-jq25-8gq9 #844)
  • data/reports/GO-2022-0982.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: CVE-2021-45330, GHSA-pg38-r834-g45j #982)
  • data/reports/GO-2022-1065.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-42968 #1065)
  • data/reports/GO-2023-1894.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-cf6v-9j57-v6r6 #1894)
  • data/reports/GO-2023-1922.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-5rh7-6gfj-mc87 #1922)
  • data/reports/GO-2023-1971.yaml (x/vulndb: potential Go vuln in gogs.io/gogs: GHSA-fg3x-rwq9-74cw #1971)
  • data/reports/GO-2023-1999.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-38795 #1999)
  • data/reports/GO-2024-2752.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-4rqq-rxvc-v2rc #2752)
  • data/reports/GO-2024-2757.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-9f8c-pfvv-p4gm #2757)
  • data/reports/GO-2024-2769.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-fhv8-m4j4-cww2 #2769)
  • data/reports/GO-2024-3056.yaml (x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2024-6886 #3056)
  • data/reports/GO-2025-4258.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-cm54-pfmc-xrwx #4258)
  • data/reports/GO-2025-4261.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-263q-5cv3-xq9g #4261)
  • data/reports/GO-2025-4262.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-7xq4-mwcp-q8fx #4262)
  • data/reports/GO-2025-4263.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-898p-hh3p-hf9r #4263)
  • data/reports/GO-2025-4264.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-f85h-c7m6-cfpm #4264)
  • data/reports/GO-2025-4265.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-hq57-c72x-4774 #4265)
  • data/reports/GO-2025-4266.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-jhx5-4vr4-f327 #4266)
  • data/reports/GO-2025-4267.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-rrcw-5rjv-vj26 #4267)
  • data/reports/GO-2025-4268.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-xfq3-qj7j-4565 #4268)
  • data/reports/GO-2026-4274.yaml (x/vulndb: potential Go vuln in code.gitea.io/gitea: GHSA-pc73-rj2c-wvf9 #4274)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: code.gitea.io/gitea
      versions:
        - fixed: 1.25.4
      vulnerable_at: 1.25.3
summary: |-
    Gitea does not properly validate repository ownership when deleting Git LFS
    locks in code.gitea.io/gitea
cves:
    - CVE-2026-20897
ghsas:
    - GHSA-393c-qgvj-3xph
references:
    - advisory: https://github.com/advisories/GHSA-393c-qgvj-3xph
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-20897
    - fix: https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f
    - fix: https://github.com/go-gitea/gitea/pull/36344
    - fix: https://github.com/go-gitea/gitea/pull/36349
    - web: https://blog.gitea.com/release-of-1.25.4
    - web: https://github.com/go-gitea/gitea/releases/tag/v1.25.4
source:
    id: GHSA-393c-qgvj-3xph
    created: 2026-01-23T21:01:25.871219578Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/741100 mentions this issue: data/reports: add 20 reports