CVE-2025-68939

Description

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

How to fix CVE-2025-68939

To remediate CVE-2025-68939, upgrade the affected package to a fixed version below.

• Bitnami/gitea—upgrade to 1.23.0 or later
• —no fix listed
• —no fix listed

Is CVE-2025-68939 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.23.0
• from 0
• from 0

CVSS scores

References (7)

• ADVISORYgithub.com/advisories/GHSA-263q-5cv3-xq9g
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-68939
• PATCHgithub.com/go-gitea/gitea
• WEBblog.gitea.com/release-of-1.23.0
• WEBblog.gitea.com/release-of-1.23.0/