CVE Catalog
CVE-2026-28705
Low risk· EPSS 8%Exploitation Probability (EPSS)
Low risk0.18%
8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability in Gitea before version 1.25.5 allows specially crafted release tag and asset names to affect dump output paths when dumping release assets.
Risk Assessment
An attacker could exploit this to overwrite or place files in unintended filesystem locations, potentially leading to privilege escalation or data integrity compromise.
Recommendation
Immediately upgrade Gitea to version 1.25.5 or later, which includes a security fix.
Original NVD description (English source)
Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

