CVE Catalog

CVE-2026-20909

Low risk· EPSS 5%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries. An attacker may gain access to time data of other users without proper authorization.

Risk Assessment

The risk involves potential leakage of sensitive user time tracking information, which could compromise data confidentiality and organizational security policies.

Recommendation

It is recommended to immediately upgrade Gitea to version 1.25.5 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS