Cyber Resilience

CVE-2024-6886

Critical

Published: 06 August 2024

Published
06 August 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4032 98.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-6886 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Gitea Gitea Open (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-6886 is a stored cross-site scripting vulnerability arising from improper neutralization of input during web page generation. It affects Gitea Open Source Git Server version 1.22.0 and is tracked under CWE-79. The flaw carries a CVSS 4.0 score of 10.0 with a network attack vector, low complexity, and no requirements for privileges or user interaction.

An unauthenticated remote attacker can supply crafted input that is persisted and later rendered in other users' browsers, enabling theft of session tokens, account takeover, or execution of arbitrary actions within the Gitea instance with full confidentiality, integrity, and availability impact plus scope change.

The Gitea 1.22.1 release announcement and associated pull request 31200 indicate that the issue is resolved in that version. The current and peak EPSS score of 0.2520 reflects moderate exploitation probability without evidence of a post-disclosure rise.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0.

CWE(s)

Related Threats

CVEs Like This One

CVE-2021-38903Shared CWE-79
CVE-2021-39183Shared CWE-79
CVE-2021-38350Shared CWE-79
CVE-2022-0372Shared CWE-79
CVE-2022-1396Shared CWE-79
CVE-2021-24841Shared CWE-79
CVE-2021-31813Shared CWE-79
CVE-2021-40888Shared CWE-79
CVE-2022-1571Shared CWE-79
CVE-2021-32668Shared CWE-79

Affected Assets

Gitea
Gitea Open
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input before persistence or rendering, blocking the crafted payloads that cause stored XSS in Gitea.

prevent

Requires filtering or encoding of information on output, neutralizing persisted malicious scripts before they execute in users' browsers.

detect

Detects unauthorized modification or injection of scripts into web content, providing visibility into successful stored-XSS exploitation.

References