CVE Catalog

CVE-2026-27779

Low risk· EPSS 6%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in Gitea versions before 1.25.5 allows accepting malformed or injected forwarded-proto values when detecting public URLs, enabling spoofed canonical URL generation.

Risk Assessment

An attacker can exploit this vulnerability to generate fake canonical URLs, potentially leading to user redirection to malicious sites or compromising link integrity in the system.

Recommendation

Immediately upgrade Gitea to version 1.25.5 or later, which includes a fix that prevents accepting malformed forwarded-proto values.

Original NVD description (English source)

Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS