Primary

Context

Gitea Login Time Disclosure Vulnerability

Vulnerability

Patched

A vulnerability in Gitea versions prior to 1.21.8 allows for the unintended disclosure of users' login times. This occurs through the 'lastlogintime' sort order on the '/explore/users' page, which can inadvertently reveal user activity.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of user activity, specifically login times.

Reproduction

To reproduce this vulnerability, access the '/explore/users' page on a Gitea instance running a vulnerable version. Sort the user list by 'lastlogintime'. This will display users' login times, unintentionally revealing their activity.

Remediation

Users are advised to upgrade to Gitea version 1.21.8 or later.

Added: Dec 26, 2025, 4:19 AM

Updated: Dec 26, 2025, 4:19 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

7.9

remediation

7.7

relevance

1.7

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

7.9

remediation

7.7

relevance

1.7

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gitea Login Time Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Gitea

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating