CVE-2024-6886
Published: 06 August 2024
Summary
CVE-2024-6886 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Gitea Gitea Open (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-6886 is a stored cross-site scripting vulnerability arising from improper neutralization of input during web page generation. It affects Gitea Open Source Git Server version 1.22.0 and is tracked under CWE-79. The flaw carries a CVSS 4.0 score of 10.0 with a network attack vector, low complexity, and no requirements for privileges or user interaction.
An unauthenticated remote attacker can supply crafted input that is persisted and later rendered in other users' browsers, enabling theft of session tokens, account takeover, or execution of arbitrary actions within the Gitea instance with full confidentiality, integrity, and availability impact plus scope change.
The Gitea 1.22.1 release announcement and associated pull request 31200 indicate that the issue is resolved in that version. The current and peak EPSS score of 0.2520 reflects moderate exploitation probability without evidence of a post-disclosure rise.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2490
Vulnerability details
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input before persistence or rendering, blocking the crafted payloads that cause stored XSS in Gitea.
Requires filtering or encoding of information on output, neutralizing persisted malicious scripts before they execute in users' browsers.
Detects unauthorized modification or injection of scripts into web content, providing visibility into successful stored-XSS exploitation.