CVE Catalog

CVE-2026-22874

CriticalCVSS 9.6
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile — higher than 37% of all known CVEs

Summary

CVE-2026-22874 affects Gitea versions up to and including 1.26.2. The SSRF protection in webhook and migration allow-list filtering is incomplete, potentially allowing an attacker to bypass security controls.

Risk Assessment

The risk involves the possibility of an attacker making unauthorized requests to internal network resources, which could lead to data leakage, privilege escalation, or further attacks on the infrastructure.

Recommendation

It is recommended to immediately upgrade Gitea to a version later than 1.26.2 that includes a fix for this vulnerability. Also review and strengthen network traffic filtering rules.

Original NVD description (English source)

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS