CVE-2019-11229

HIGH

Gitea < 1.7.6 and 1.8.x < 1.8-RC3 - Remote Code Execution via Mirror Repository URL Mishandling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11229. PoCs published by 1F98D.

AI-analyzed exploit summary This exploit leverages a vulnerability in Gitea's mirror repository URL handling to achieve authenticated remote code execution. It injects a malicious SSH command into the repository's configuration file, which is executed when the mirror sync is triggered.

Description

models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.

Exploits (1)

exploitdb WORKING POC VERIFIED
by 1F98D · pythonwebappsmultiple
https://www.exploit-db.com/exploits/49383

This exploit leverages a vulnerability in Gitea's mirror repository URL handling to achieve authenticated remote code execution. It injects a malicious SSH command into the repository's configuration file, which is executed when the mirror sync is triggered.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Gitea before 1.7.6 and 1.8.x before 1.8-RC3
Auth required
Prerequisites: Authenticated user access to Gitea · Network access to the target Gitea instance · Ability to host a temporary Git repository
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/go-gitea/gitea/releases/tag/v1.7.6
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.html

Scores

CVSS v3 8.8
EPSS 0.2655
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (3)
gitea/gitea 1.8.0 rc1 (2 CPE variants)
gitea/gitea < 1.7.6
go-gitea/gitea 0 - 1.7.6Go
Published Apr 15, 2019
Tracked Since Feb 18, 2026