CVE-2025-68942
Unknown Unknown - Not Provided
Cross-Site Scripting in Gitea Search Input Before

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68942
EUVD
EUVD-2025-205413
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gitea gitea *
gitea gitea 1.22.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Gitea before version 1.22.2 is a cross-site scripting (XSS) issue caused by the use of the Vue.js directive `v-html` in the search input box for creating tags and branches. Using `v-html` allows raw HTML to be rendered, which can enable attackers to inject malicious scripts. The vulnerability was fixed by replacing `v-html` with `v-text`, which safely renders text without interpreting it as HTML, thereby preventing potential script injection and related security risks. [1, 3]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected Gitea instance by injecting code through the search input box. This can lead to user information leakage, unauthorized actions performed on behalf of users, or other security issues related to cross-site scripting. The CVSS score indicates a moderate impact with potential confidentiality and integrity loss but no direct availability impact. [1, 3]

Mitigation Strategies

To mitigate CVE-2025-68942, you should upgrade your Gitea installation to version 1.22.2 or later, where the vulnerability has been fixed by replacing the unsafe Vue.js directive `v-html` with `v-text` in the search input box. This update prevents cross-site scripting (XSS) attacks by avoiding unsafe HTML rendering. Applying this update will close the vulnerability and improve overall security. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart