x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-393c-qgvj-3xph

Advisory [GHSA-393c-qgvj-3xph](https://github.com/advisories/GHSA-393c-qgvj-3xph) references a vulnerability in the following Go modules:

| Module |
| - |
| [code.gitea.io/gitea](https://pkg.go.dev/code.gitea.io/gitea) |

Description:
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

References:
- ADVISORY: https://github.com/advisories/GHSA-393c-qgvj-3xph
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2026-20897
- FIX: https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f
- FIX: https://github.com/go-gitea/gitea/pull/36344
- FIX: https://github.com/go-gitea/gitea/pull/36349
- WEB: https://blog.gitea.com/release-of-1.25.4
- WEB: https://github.com/go-gitea/gitea/releases/tag/v1.25.4

Cross references:
- code.gitea.io/gitea appears in 30 other report(s):
  - data/reports/GO-2022-0310.yaml    (https://github.com/golang/vulndb/issues/310)
  - data/reports/GO-2022-0315.yaml    (https://github.com/golang/vulndb/issues/315)
  - data/reports/GO-2022-0353.yaml    (https://github.com/golang/vulndb/issues/353)
  - data/reports/GO-2022-0442.yaml    (https://github.com/golang/vulndb/issues/442)
  - data/reports/GO-2022-0450.yaml    (https://github.com/golang/vulndb/issues/450)
  - data/reports/GO-2022-0609.yaml    (https://github.com/golang/vulndb/issues/609)
  - data/reports/GO-2022-0612.yaml    (https://github.com/golang/vulndb/issues/612)
  - data/reports/GO-2022-0830.yaml    (https://github.com/golang/vulndb/issues/830)
  - data/reports/GO-2022-0832.yaml    (https://github.com/golang/vulndb/issues/832)
  - data/reports/GO-2022-0844.yaml    (https://github.com/golang/vulndb/issues/844)
  - data/reports/GO-2022-0982.yaml    (https://github.com/golang/vulndb/issues/982)
  - data/reports/GO-2022-1065.yaml    (https://github.com/golang/vulndb/issues/1065)
  - data/reports/GO-2023-1894.yaml    (https://github.com/golang/vulndb/issues/1894)
  - data/reports/GO-2023-1922.yaml    (https://github.com/golang/vulndb/issues/1922)
  - data/reports/GO-2023-1971.yaml    (https://github.com/golang/vulndb/issues/1971)
  - data/reports/GO-2023-1999.yaml    (https://github.com/golang/vulndb/issues/1999)
  - data/reports/GO-2024-2752.yaml    (https://github.com/golang/vulndb/issues/2752)
  - data/reports/GO-2024-2757.yaml    (https://github.com/golang/vulndb/issues/2757)
  - data/reports/GO-2024-2769.yaml    (https://github.com/golang/vulndb/issues/2769)
  - data/reports/GO-2024-3056.yaml    (https://github.com/golang/vulndb/issues/3056)
  - data/reports/GO-2025-4258.yaml    (https://github.com/golang/vulndb/issues/4258)
  - data/reports/GO-2025-4261.yaml    (https://github.com/golang/vulndb/issues/4261)
  - data/reports/GO-2025-4262.yaml    (https://github.com/golang/vulndb/issues/4262)
  - data/reports/GO-2025-4263.yaml    (https://github.com/golang/vulndb/issues/4263)
  - data/reports/GO-2025-4264.yaml    (https://github.com/golang/vulndb/issues/4264)
  - data/reports/GO-2025-4265.yaml    (https://github.com/golang/vulndb/issues/4265)
  - data/reports/GO-2025-4266.yaml    (https://github.com/golang/vulndb/issues/4266)
  - data/reports/GO-2025-4267.yaml    (https://github.com/golang/vulndb/issues/4267)
  - data/reports/GO-2025-4268.yaml    (https://github.com/golang/vulndb/issues/4268)
  - data/reports/GO-2026-4274.yaml    (https://github.com/golang/vulndb/issues/4274)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: code.gitea.io/gitea
      versions:
        - fixed: 1.25.4
      vulnerable_at: 1.25.3
summary: |-
    Gitea does not properly validate repository ownership when deleting Git LFS
    locks in code.gitea.io/gitea
cves:
    - CVE-2026-20897
ghsas:
    - GHSA-393c-qgvj-3xph
references:
    - advisory: https://github.com/advisories/GHSA-393c-qgvj-3xph
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-20897
    - fix: https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f
    - fix: https://github.com/go-gitea/gitea/pull/36344
    - fix: https://github.com/go-gitea/gitea/pull/36349
    - web: https://blog.gitea.com/release-of-1.25.4
    - web: https://github.com/go-gitea/gitea/releases/tag/v1.25.4
source:
    id: GHSA-393c-qgvj-3xph
    created: 2026-01-23T21:01:25.871219578Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-393c-qgvj-3xph #4363

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-393c-qgvj-3xph #4363

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions