CVE Catalog
CVE-2026-27779
Low risk· EPSS 6%Exploitation Probability (EPSS)
Low risk0.17%
6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in Gitea versions before 1.25.5 allows accepting malformed or injected forwarded-proto values when detecting public URLs, enabling spoofed canonical URL generation.
Risk Assessment
An attacker can exploit this vulnerability to generate fake canonical URLs, potentially leading to user redirection to malicious sites or compromising link integrity in the system.
Recommendation
Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix that prevents accepting malformed forwarded-proto values.
Original NVD description (English source)
Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.

