Affected by GO-2025-4258
and 11 other vulnerabilities
GO-2025-4258: Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
GO-2025-4261: Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
GO-2026-4274: Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
GO-2026-4362: Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea
GO-2026-4363: Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea
GO-2026-4364: Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea
GO-2026-4365: Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea
GO-2026-4366: Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea
GO-2026-4367: Gitea has improper access control for uploaded attachments in code.gitea.io/gitea
GO-2026-4368: Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea
GO-2026-4369: Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea
GO-2026-4370: Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea
CmdArg represents a command argument for git command, and it will be used for the git command directly without any further processing.
In most cases, you should use the "AddXxx" functions to add arguments, but not use this type directly.
Casting a risky (user-provided) string to CmdArg would cause security issues if it's injected with a "--xxx" argument.
Affected by 
Documentation
¶
Source Files