CVE-2026-28705 PUBLISHED

Gitea repository dumps write release assets using unsafe path names

Assigner: Gitea
Reserved: 03.03.2026 Published: 03.07.2026 Updated: 03.07.2026

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Product Status

Vendor Gitea
Product Gitea Open Source Git Server
Versions Default: unaffected
  • affected from 0 to 1.25.5 (excl.)

Credits

  • Robert Flosbach from Neodyme AG reporter

References

Problem Types

  • Improper Limitation of a Pathname to a Restricted Directory CWE