-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| code.gitea.io/gitea | go | < 1.16.9 | 1.16.9 |
GoGoMiggo AIRoot Cause AnalysisThe patch (65e0688) modifies the ServeData function in routers/common/repo.go to add PDF-specific header handling. Before the fix, PDF files were served without the correct Content-Type (application/octet-stream) and without a restrictive Content-Security-Policy, enabling XSS if a malicious PDF with embedded scripts was uploaded. The vulnerability matches the CWE-79 description of improper input neutralization during web page generation, and the commit directly addresses this by adding security headers for PDFs.
Ongoing coverage of React2Shell