CVE-2025-68942
Unknown Unknown - Not Provided

Cross-Site Scripting in Gitea Search Input Before

Vulnerability report for CVE-2025-68942, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-07-06
AI Q&A
2025-12-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gitea gitea *
gitea gitea 1.22.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Gitea before version 1.22.2 is a cross-site scripting (XSS) issue caused by the use of the Vue.js directive `v-html` in the search input box for creating tags and branches. Using `v-html` allows raw HTML to be rendered, which can enable attackers to inject malicious scripts. The vulnerability was fixed by replacing `v-html` with `v-text`, which safely renders text without interpreting it as HTML, thereby preventing potential script injection and related security risks. [1, 3]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected Gitea instance by injecting code through the search input box. This can lead to user information leakage, unauthorized actions performed on behalf of users, or other security issues related to cross-site scripting. The CVSS score indicates a moderate impact with potential confidentiality and integrity loss but no direct availability impact. [1, 3]

Mitigation Strategies

To mitigate CVE-2025-68942, you should upgrade your Gitea installation to version 1.22.2 or later, where the vulnerability has been fixed by replacing the unsafe Vue.js directive `v-html` with `v-text` in the search input box. This update prevents cross-site scripting (XSS) attacks by avoiding unsafe HTML rendering. Applying this update will close the vulnerability and improve overall security. [1, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart