The Forgejo v8.0.1 & v7.0.7 releases contain a security fix for a cross-site scripting (XSS) vulnerability that allowed repository owners to create links that executed javascript when clicking on them.
Read more →The Forgejo v1.21.11-0 release contains two security fixes: a privilege escalation that allows any registered user to change the visibility of any public repository; and a cross-site scripting (XSS) vulnerability that enabled attackers to run unsandboxed client-side scripts on pages served from the forge's domain.
Read more →No direct impact of the xz backdoor (CVE-2024-3094) on Forgejo. The infrastructure that powers Forgejo is not impacted by this vulnerability. Forgejo itself is also not affected, however if you run an OpenSSH server for Git over SSH you could be affected by this CVE.
Read more →The Forgejo v1.21.6-0 release contains a security fix for Cross-site scripting (XSS) vulnerabilities. It enabled attackers to inject client-side scripts into web pages displayed to Forgejo visitors.
Read more →The Forgejo v1.21.2-1 release contains an additional security fix related to permissions enforcement of API endpoints.
Read more →