CVE-2025-68937 CRITICAL

CVE-2025-68937

Vendor Forgejo
Product Forgejo
Weakness CWE-61
Published December 25, 2025
Last update December 26, 2025

CVSS base score

9.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.

Key dates

02Disclosure timeline

December 25, 2025 CVE published
December 26, 2025 Record updated