What the vulnerability does
01Description
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
CVSS base score
5.4/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Key dates
02Disclosure timeline
December 26, 2025
CVE published
December 26, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2025-49337 WordPress Dashboard Beacon plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability
CVE-2014-5411 Schneider Electric SCADA Expert ClearSCADA Cross-site Scripting
CVE-2023-3752 Creativeitem Academy LMS courses cross site scripting
CVE-2023-49258 Reflected cross-site scripting vulnerability
CVE-2025-10191 Big Post Shipping for WooCommerce <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
