CVE Catalog

CVE-2026-28705

Low risk· EPSS 8%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A vulnerability in Gitea before version 1.25.5 allows specially crafted release tag and asset names to affect dump output paths when dumping release assets.

Risk Assessment

An attacker could exploit this to overwrite or place files in unintended filesystem locations, potentially leading to privilege escalation or data integrity compromise.

Recommendation

Immediately upgrade Gitea to version 1.25.5 or later, which includes a security fix.

Original NVD description (English source)

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS