Affected by GO-2023-1894
and 10 other vulnerabilities
GO-2023-1894: code.gitea.io/gitea Open Redirect vulnerability
GO-2024-3056: Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea
GO-2025-4258: Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
GO-2025-4261: Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
GO-2025-4262: Gitea: anonymous user can visit private user's project in code.gitea.io/gitea
GO-2025-4263: Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
GO-2025-4264: Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
GO-2025-4265: Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
GO-2025-4266: Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
GO-2025-4267: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
GO-2025-4268: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
HashAvatar will generate a unique string, which ensures that when there's a
different unique ID while the data is the same, it will generate a different
output. It will generate the output according to:
HEX(HASH(uniqueID || - || data))
The hash being used is SHA256.
The sole purpose of the unique ID is to generate a distinct hash Such that
two unique IDs with the same data will have a different hash output.
The "-" byte is important to ensure that data cannot be modified such that
the first byte is a number, which could lead to a "collision" with the hash
of another unique ID.
Affected by 
Documentation
¶
Source Files
Directories