CVE-2021-28378

LOW

Gitea 1.12.0-1.12.5 and < 1.13.4 - Cross-Site Scripting via Issue Data

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-28378. PoCs published by pandatix.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2021-28378, a client-side XSS vulnerability in Gitea due to missing HTML escaping in issue and pull request comments. The writeup includes root cause analysis, patch diffs, and exploitation steps.

Description

Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.

Exploits (1)

nomisec WRITEUP 4 stars

by pandatix · poc

https://github.com/pandatix/CVE-2021-28378

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2021-28378, a client-side XSS vulnerability in Gitea due to missing HTML escaping in issue and pull request comments. The writeup includes root cause analysis, patch diffs, and exploitation steps.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Gitea (versions before 1.14.0)

Auth required

Prerequisites: Write access to a Gitea repository to create issues/pull requests with malicious content

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/go-gitea/gitea/pull/14898

Release Notes, Vendor Advisory x_refsource_misc

https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/PandatiX/CVE-2021-28378

View Exploit ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.1183

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

code.gitea.io/gitea 0 - 1.13.4Go

gitea/gitea 1.12.0 - 1.12.6

Published Mar 15, 2021

Tracked Since Feb 18, 2026