CVE-2025-68946
Unknown Unknown - Not Provided
Cross-Site Scripting in Gitea Links via Forbidden URL Scheme

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68946
EUVD
EUVD-2025-205421
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitea gitea 1.20.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows execution of arbitrary code via dangerous URL schemes, it could potentially lead to unauthorized access or leakage of user information, which may affect compliance with data protection regulations. The fix prevents such exploitation by disallowing dangerous URL schemes, thereby improving security posture. Still, no direct mention of compliance impact is given. [1, 2]

Executive Summary

This vulnerability in Gitea versions before 1.20.1 allows the use of forbidden URL schemes such as 'javascript:' in links. These dangerous URL schemes can be exploited to execute arbitrary code on a user's computer when they click on a malicious link, leading to a cross-site scripting (XSS) attack. The issue arises because the application did not properly restrict these URL schemes, allowing attackers to inject harmful scripts via links. [1, 2]

Impact Analysis

The vulnerability can impact you by enabling attackers to execute arbitrary code on your computer through malicious links containing dangerous URL schemes like 'javascript:'. This can lead to security risks such as unauthorized access, data leakage, or other malicious activities triggered by clicking on crafted links within the Gitea application. It poses a significant security risk especially when interacting with untrusted sources. [1, 2]

Detection Guidance

You can detect this vulnerability by checking if your Gitea instance is running a version prior to 1.20.1, as versions before this allow dangerous URL schemes such as 'javascript:' in links. To identify potentially malicious links, you could search the database or exported data for URLs starting with 'javascript:', 'vbscript:', or 'data:' schemes. For example, if you have access to the Gitea database, you might run SQL queries to find such URLs in issues, comments, or wiki pages. Additionally, monitoring HTTP traffic for suspicious URL schemes in links served by Gitea could help detect exploitation attempts. Specific commands depend on your environment, but a sample grep command on exported data or logs could be: grep -rE 'href=["\'](javascript:|vbscript:|data:)' /path/to/gitea/data. However, no explicit detection commands are provided in the resources. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade your Gitea installation to version 1.20.1 or later, where this vulnerability is fixed by disallowing dangerous URL schemes such as 'javascript:', 'vbscript:', and 'data:' (except for data URI images). This update prevents execution of arbitrary code via malicious links. Applying this update is critical to secure your system. Additionally, review and sanitize any existing content that may contain dangerous URL schemes to prevent exploitation until the upgrade is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart