{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T23:45:33.261","vulnerabilities":[{"cve":{"id":"CVE-2026-25229","sourceIdentifier":"security-advisories@github.com","published":"2026-02-19T07:17:45.363","lastModified":"2026-02-19T19:45:35.503","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1."},{"lang":"es","value":"Gogs es un servicio Git de código abierto autoalojado. Las versiones 0.13.4 e inferiores tienen una vulnerabilidad de control de acceso roto que permite a usuarios autenticados con acceso de escritura a cualquier repositorio modificar etiquetas pertenecientes a otros repositorios. La función UpdateLabel en la interfaz de usuario web (Web UI) (internal/route/repo/issue.go) no verifica que la etiqueta que se está modificando pertenezca al repositorio especificado en la ruta URL, lo que permite ataques de manipulación de etiquetas entre repositorios. La vulnerabilidad existe en el endpoint de actualización de etiquetas de la interfaz de usuario web (Web UI) POST /:username/:reponame/labels/edit. La función gestora UpdateLabel utiliza una función de consulta de base de datos incorrecta que omite la validación de propiedad del repositorio. Este problema ha sido corregido en la versión 0.14.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*","versionEndExcluding":"0.14.1","matchCriteriaId":"44DD72D9-ED94-407D-8C71-6C2B039C65BB"}]}]}],"references":[{"url":"https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]}]}}]}